Documentation
  • 🍻Intro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • 👩‍💻API Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • 🔵Pynt Command CLI Mode
      • 🔵Pynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • 🤲Security Testing Integrations
    • 🟠Pynt with API Testing Tools
      • 🔘Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • 🔘Pynt for Insomnia
      • 🔘Pynt for ReadyAPI
    • 🟠Pynt with API Testing CLIs
      • 🔘Pynt for Newman (Postman CLI)
      • 🔘Pynt for TestRunner (ReadyAPI CLI)
    • 🟠Pynt with Testing Frameworks
      • 🔘Pynt for .NET (xUnit)
      • 🔘Pynt for Selenium
      • 🔘Pynt for Rest Assured
      • 🔘Pynt for Jest
      • 🔘Pynt for pytest
      • 🔘Pynt for Go
      • 🔘Pynt for JMeter
    • 🟠Pynt on CI/CD
      • ❗How to get Pynt ID for CI/CD Authentication
      • 🔘Pynt for GitHub Actions
      • 🔘Pynt for Azure DevOps Pipelines
      • 🔘Pynt for GitLab
      • 🔘Pynt for Jenkins
    • 🟠Pynt with Burp Suite
    • 🟠Pynt with Browsers
      • 🔘Pynt for Firefox Browser
    • 🟠Live Traffic Connectors
      • 🔘eBPF
        • 🔘Key Components
      • 🔘Traffic Mirroring
    • 🟠Advanced Pynt Examples
      • 🔘Pynt as a Standalone Container
      • 🔘Pynt with Prerecorded Har Files
      • 🔘Pynt with cURL
  • 🈸Applications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • 📚API Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • ⏪Scan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • What is Selenium?
  • Pynt's Integration with Selenium
  • Setup Pynt
  • Setup Selenium for integrating with Pynt
  • Example
  • Setting up our target (crAPI)
  • Setting up the Selenium test
  • Running the Selenium test
  • Running the Selenium test with Pynt
  • Understanding the results
  1. Security Testing Integrations
  2. Pynt with Testing Frameworks

Pynt for Selenium

Integrate Pynt with Selenium to enhance API security testing. Automate security scans within your Selenium test suites to detect and mitigate vulnerabilities effectively.

PreviousPynt for .NET (xUnit)NextPynt for Rest Assured

Last updated 8 months ago

What is Selenium?

💡 is a widely-used framework for automating web browsers. It allows developers to automate browser interactions, making it ideal for testing web applications. With Selenium, you can simulate user actions and verify UI functionality across different browsers.

Pynt's Integration with Selenium

Setup Pynt

Setup Selenium for integrating with Pynt

Since the Chromium browser does not honor the HTTPS_PROXY environment variables set by Pynt, you need to manually configure your Selenium test to use the Pynt proxy.

To configure Selenium chrome web driver to go through a Proxy, add the following lines to your webdriver setup:

chrome_options.add_argument('--proxy-server=http://127.0.0.1:6666')
chrome_options.add_argument('--proxy-bypass-list=<-loopback>')
chrome_options.add_argument("--ignore-certificate-errors")

Here's an example of a Python function that creates a Chrome WebDriver with a proxy, utilizing the RUNNING_FROM_PYNT environment variable set by the Pynt CLI to conditionally apply the proxy settings:

def get_webdriver(browser):
    if browser == "CHROME":
        chrome_options = webdriver.ChromeOptions()
        pynt = os.environ.get("RUNNING_FROM_PYNT", "")
        if pynt == "True":
            # This section is only when running with Pynt
            chrome_options.add_argument('--proxy-server=http://127.0.0.1:6666')
            chrome_options.add_argument('--proxy-bypass-list=<-loopback>')
            chrome_options.add_argument("--ignore-certificate-errors")
    
        return webdriver.Chrome(options=chrome_options)

Example

Here's a detailed guide to setting up and running a Selenium test with crAPI (Completely Ridiculous API), a vulnerable web application created by OWASP, and then using this test to run Pynt API Security tests to find Business Logic vulnerabilities in crAPI.

Setting up our target (crAPI)

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

Setting up the Selenium test

Download crapi_selenium.py from here:

wget https://raw.githubusercontent.com/pynt-io/pynt/main/goat_functional_tests/selenium/crapi_selenium.py
wget https://raw.githubusercontent.com/pynt-io/pynt/main/goat_functional_tests/selenium/requirements.txt
pip install requirements.txt

Running the Selenium test

python3 crapi_selenium.py

Flow of the selenium test:

  1. Setup the chrome driver

  2. Register a new user

  3. Register a new vehicle for that user

  4. Login

  5. Go to dashboard and view vehicle location

  6. Close the chrome driver

  7. Repeat the same process for another user

Running the Selenium test with Pynt

Now that the selenium test is setup we can run Security tests:

pynt command --cmd "python3 sel.py" --no-proxy-export

You should see the Selenium test executes and then Pynt will begin to scan the APIs and show the report once its done, the flag --no-proxy-export is telling Pynt not to export HTTPS_PROXY environment variables as it will cause Selenium configuration traffic to also be captured by Pynt.

Understanding the results

The UI test focuses solely on the login and dashboard pages, rather than covering the entire crAPI application. Despite this limitation, it provides sufficient data for Pynt to detect a Business Logic vulnerability (BOLA) related to vehicle location. This specific vulnerability enables an attacker to query the locations of vehicles owned by other users.

As part of its suit, Pynt allows seamless integration with Selenium. Using Selenium for UI testing in combination with Pynt for automated API security testing is a powerful approach to enhance the security of your web applications. Here’s a step-by-step guide on how you can integrate Selenium with Pynt to create automated API security tests:

First, make sure Pynt's are met.

Follow the instructions to install Pynt conainer .

This integration is based on in which Pynt is running the command given in the --cmd argument through a proxy, captures the traffic and runs API security tests on the APIs seen in the traffic. Continue with the below example.

This includes instructions for setting up crAPI on Windows, Mac, or Linux. For example in linux the install flow is:

Wait for crAPI to start, verify by going to

💡 Pynt CLI Troubleshooting: If you're encountering issues with Pynt's CLI, visit the for solutions and troubleshooting tips.

💡 Still Need Help? For any questions or troubleshooting, reach out to the .

🤲
🟠
🔘
API security testing
prerequisites
here
pynt command
link
http://localhost:8888
Pynt CLI Troubleshooting Guide
Pynt Community Support
Selenium
Selenium
Pynt with Selenium
Results summary example
API vulnerabilities example