🔘Pynt for Playwright

Integrate Pynt with Playwright to enable automated API security testing alongside your end-to-end browser tests.

What is Playwright?

💡 Playwright is a powerful framework for automating modern web applications across Chromium, Firefox, and WebKit. It is widely used for E2E testing, providing rich features like headless mode, multiple browser support, and network interception. Playwright is ideal for simulating real-world user behavior in CI environments.

Pynt’s Integration with Playwright

As part of its dynamic API security suite, Pynt integrates with Playwright by observing the traffic generated during test execution. By running Playwright tests behind Pynt’s proxy, the APIs invoked during test flows are captured and analyzed for vulnerabilities.


Pynt works by intercepting HTTP(S) traffic. It launches your test script with a local proxy and then analyzes the captured API interactions.


Configuring Proxy in Playwright

When RUNNING_FROM_PYNT=true(set automatically by Pynt CLI, you will need to export it for Pynt Binary) you should configure the browser to route traffic through Pynt’s proxy with the following configuration:

    launchOptions.proxy = {
      server: 'http://127.0.0.1:6666',
      bypass: '<-loopback>'
    };

And ignore TLS errors :

  const launchOptions = {
    headless: false,
    args: ['--ignore-certificate-errors']
  };

Here's a Java Script example with all configurations:

(async () => {
  const useProxy = process.env.RUNNING_FROM_PYNT === 'true';

  const launchOptions = {
    headless: false
  };

  if (useProxy) {
    launchOptions.proxy = {
      server: 'http://127.0.0.1:6666',
      bypass: '<-loopback>'
    };
  }

  const browser = await chromium.launch(launchOptions);
  const page = await browser.newPage();
  
  // Actual playwright test here ...
  
  await context.close();
  await browser.close();
})();

Example: Running Pynt against DVWA

DVWA (Damn Vulnerable Web Application) is a good demo target for Pynt + Playwright integration.

This example shows how to setup DVWA and run a short playwright test with Pynt to find the MySQL Injection vulnerability

  1. Run DVWA locally via Docker:

    docker run -it --rm -p 80:80 vulnerables/web-dvwa
  2. Download DVWA Playwright files:

  3. Setup:

npm install
npx playwright install
  1. Run Pynt:

pynt command --cmd "npm run test" --captured-domains "*localhost*"

The scan should look like this:

Pynt scan in progress

Understanding the Results

Once your test finishes, Pynt will scan all APIs it observed during the Playwright test session. The results Will look like this:

Pynt report showing the MySQL Injection

💬 Need Help?

For further assistance, visit the Pynt CLI Troubleshooting Guide or ask the community on Pynt Community Support.

Last updated