Empowering Api Security Testing With Pynt And Pytest
In today's API-driven landscape, robust security testing is paramount. Pynt, a powerful API security testing tool, seamlessly integrates with pytest, the popular Python testing framework, streamlining your workflow and enhancing test coverage. This article guides you through using Pynt with pytest, empowering you to identify and address potential vulnerabilities effectively.
Prerequisites:
Python 3.6 or later (Installation instruction)
Pytest installed (
pip install pytest
)Pynt installed (
pip install pyntcli
)
1. Get Up Your API Endpoint
Find a simple demo API endpoint for testing purposes. You can use https://reqres.in, or any of your preferred choice. ReqRes also provide a swagger to easily go through all the endpoints available.
2. Write Your Pytest Script:
Create a Python file (e.g., test_users.py
) to house your pytest tests. Here's a basic example:
Python
import pytest
from requests import get
@pytest.fixture
def base_url():
return 'https://reqres.in/api'
def test_get_user(base_url):
url = f'{base_url}/users'
response = get(url)
assert response.status_code == 200
assert len(response.json().get('data')) == 6
3. Run your first Test
Bash
users@user-demo pynt-pytest-demo % pytest
========================================== test session starts ===========================================
platform darwin -- Python 3.11.1, pytest-7.3.1, pluggy-1.0.0
rootdir: /Users/demo/pynt-pytest-demo
collected 1 item
tests/test_users.py . [100%]
=========================================== 1 passed in 0.33s ============================================
users@user-demo pynt-pytest-demo %
Once our test are working fine , we can move onto next steps to run them with Pynt.
4. Start docker client:
Pynt uses proxy to analyse your API's request and response to find gaps and issues in API security.
That proxy is run in docker container on your local system.
If you don't have docker you can refer to here to install docker client.
5. Run Pytest with pynt command:
To execute API Security tests while running API functional testing PyTest in command line, simply encapsulate your existing command line within the "pynt" command.
Bash
pynt command --cmd "pytest ./tests/test_users.py"
As soon we run execute above command you might get below error for SSL certificate.
Bash
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate
(_ssl.c:992)')))
This can either solved by disabling security certificate checks by passing verify=False
to request method. or you can also follow Pynt official documentation on their SSL support.
Python
response = get(url, verify=False)
6. Run the Tests:
Execute the pytest command again with within the "pynt" command
Bash
pytest test_api.py --pynt
Pynt will analyze your API endpoint and generate security tests based on your functional test logic. It will identify and report potential vulnerabilities like SQL injection, cross-site scripting (XSS), and authentication bypass.
Bash
users@user-demo pynt-pytest-demo % pynt command --cmd "pytest ./tests/test_users.py"
API Security testing autopilot
Pynt CLI version 0.1.69
Pynt CLI new version is available, upgrade now with:
python3 -m pip install --upgrade pyntcli
Pulling latest docker
Docker pull done
Server is up and running
============================= test session starts ==============================
platform darwin -- Python 3.11.1, pytest-7.3.1, pluggy-1.0.0
rootdir: /Users/demo/pynt-pytest-demo
collected 1 item
tests/test_users.py . [100%]
=============================== warnings summary ===============================
tests/test_users.py::test_get_user
/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/urllib3/connectionpool.p
y:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
========================= 1 passed, 1 warning in 0.40s =========================
Functional Tests
┏━━━━━━━━━━━┳━━━━━━━━━━┓
┃ Endpoints ┃ Requests ┃
┡━━━━━━━━━━━╇━━━━━━━━━━┩
│ 1 │ 1 │
└───────────┴──────────┘
Security Tests
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━┓
┃ Errors ┃ Warnings ┃ Passed ┃ Did Not Run ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━┩
│ 0 │ 1 │ 20 │ 1 │
└────────┴──────────┴────────┴─────────────┘
users@user-demo pynt-pytest-demo %
7. Analyse the results:
As soon as the Pynt is done with analysis of API request and endpoints. It will show a summary in terminal itself. But also open a beatifull HTML report on browser for you.
The request has below section that you can analyse to get overview of security issues.
Summary: This include number of request , endpoints and how many security test were executed. Also the count of passed/failed tests
Details: It also provide details of issue, their effects and how we can fix it.
This example shows Pynt identifying one potential vulnerabilities in the endpoint. You'll need to investigate and address these vulnerabilities in your actual code.
Remember to adjust the code examples and API endpoint to match your specific use case. By effectively leveraging Pynt and pytest, you can significantly enhance your API security testing and safeguard your applications from potential threats.
I hope this comprehensive guide empowers you to use Pynt with pytest confidently!