# Pynt for Selenium ## **What is Selenium?** {% hint style="info" %} 💡 [**Selenium**](https://www.selenium.dev/) is a widely-used framework for automating web browsers. It allows developers to automate browser interactions, making it ideal for testing web applications. With Selenium, you can simulate user actions and verify UI functionality across different browsers. {% endhint %}

*** ## **Pynt's Integration with Selenium** As part of its [API security testing](https://docs.pynt.io/documentation/api-security-testing) suit, Pynt allows seamless integration with Selenium.\ Using Selenium for UI testing in combination with Pynt for automated API security testing is a powerful approach to enhance the security of your web applications. Here’s a step-by-step guide on how you can integrate Selenium with Pynt to create automated API security tests:

*** ## Setup Pynt 1. First, make sure Pynt's [prerequisites](https://docs.pynt.io/documentation/api-security-testing/prerequisites-for-running-pynt-scans) are met. 2. Follow the instructions to install Pynt conainer [here](https://docs.pynt.io/documentation/api-security-testing/how-to-install-pynt-cli). 3. This integration is based on [`pynt command`](https://docs.pynt.io/documentation/api-security-testing/pynt-cli-modes/pynt-command-cli-mode) in which Pynt is running the command given in the `--cmd` argument through a proxy, captures the traffic and runs API security tests on the APIs seen in the traffic. Continue with the below example. *** ## Setup Selenium for integrating with Pynt Since the Chromium browser does not honor the `HTTPS_PROXY` environment variables set by Pynt, you need to manually configure your Selenium test to use the Pynt proxy. To configure Selenium chrome web driver to go through a Proxy, add the following lines to your webdriver setup: ```python chrome_options.add_argument('--proxy-server=http://127.0.0.1:6666') chrome_options.add_argument('--proxy-bypass-list=<-loopback>') chrome_options.add_argument("--ignore-certificate-errors") ``` Here's an example of a Python function that creates a Chrome WebDriver with a proxy, utilizing the `RUNNING_FROM_PYNT` environment variable set by the Pynt CLI to conditionally apply the proxy settings: ```python def get_webdriver(browser): if browser == "CHROME": chrome_options = webdriver.ChromeOptions() pynt = os.environ.get("RUNNING_FROM_PYNT", "") if pynt == "True": # This section is only when running with Pynt chrome_options.add_argument('--proxy-server=http://127.0.0.1:6666') chrome_options.add_argument('--proxy-bypass-list=<-loopback>') chrome_options.add_argument("--ignore-certificate-errors") return webdriver.Chrome(options=chrome_options) ``` *** ## Example Here's a detailed guide to setting up and running a Selenium test with crAPI (Completely Ridiculous API), a vulnerable web application created by OWASP, and then using this test to run Pynt API Security tests to find Business Logic vulnerabilities in crAPI. ### Setting up our target (crAPI) This [link](https://github.com/OWASP/crAPI?tab=readme-ov-file#quickstart-guide) includes instructions for setting up crAPI on Windows, Mac, or Linux. For example in linux the install flow is: ```bash curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml docker-compose pull docker-compose -f docker-compose.yml --compatibility up -d ``` Wait for crAPI to start, verify by going to [`http://localhost:8888` ](http://localhost:8888) *** ### Setting up the Selenium test Download crapi\_selenium.py from here: ``` wget https://raw.githubusercontent.com/pynt-io/pynt/main/goat_functional_tests/selenium/crapi_selenium.py wget https://raw.githubusercontent.com/pynt-io/pynt/main/goat_functional_tests/selenium/requirements.txt pip install requirements.txt ``` *** ### Running the Selenium test `python3 crapi_selenium.py` Flow of the selenium test: 1. Setup the chrome driver 2. Register a new user 3. Register a new vehicle for that user 4. Login 5. Go to dashboard and view vehicle location 6. Close the chrome driver 7. Repeat the same process for another user *** ### Running the Selenium test with Pynt Now that the selenium test is setup we can run Security tests: ``` pynt command --cmd "python3 sel.py" --no-proxy-export ``` You should see the Selenium test executes and then Pynt will begin to scan the APIs and show the report once its done, the flag -`-no-proxy-export` is telling Pynt not to export `HTTPS_PROXY` environment variables as it will cause Selenium configuration traffic to also be captured by Pynt. *** ### Understanding the results The UI test focuses solely on the login and dashboard pages, rather than covering the entire crAPI application. Despite this limitation, it provides sufficient data for Pynt to detect a Business Logic vulnerability (BOLA) related to vehicle location. This specific vulnerability enables an attacker to query the locations of vehicles owned by other users.

*** {% hint style="info" %} 💡 **Pynt CLI Troubleshooting**: If you're encountering issues with Pynt's CLI, visit the [**Pynt CLI Troubleshooting Guide**](https://docs.pynt.io/documentation/api-security-testing/pynt-scans-troubleshooting/pynt-cli-troubleshooting) for solutions and troubleshooting tips. {% endhint %} {% hint style="info" %} 💡 **Still Need Help?** For any questions or troubleshooting, reach out to the [**Pynt Community Support**](https://www.pynt.io/community). {% endhint %}