Empowering Api Security Testing With Pynt And Pytest

In today's API-driven landscape, robust security testing is paramount. Pynt, a powerful API security testing tool, seamlessly integrates with pytest, the popular Python testing framework, streamlining your workflow and enhancing test coverage. This article guides you through using Pynt with pytest, empowering you to identify and address potential vulnerabilities effectively.

Prerequisites:

  • Python 3.6 or later (Installation instruction)

  • Pytest installed (pip install pytest)

  • Pynt installed (pip install pyntcli)

1. Get Up Your API Endpoint

Find a simple demo API endpoint for testing purposes. You can use https://reqres.in, or any of your preferred choice. ReqRes also provide a swagger to easily go through all the endpoints available.

reqres swagger for demo api for security testing with pynt and pytest

2. Write Your Pytest Script:

Create a Python file (e.g., test_users.py) to house your pytest tests. Here's a basic example:

Python

import pytest
from requests import get

@pytest.fixture
def base_url():
    return 'https://reqres.in/api'

def test_get_user(base_url):
    url = f'{base_url}/users'
    response = get(url)
    assert response.status_code == 200
    assert len(response.json().get('data')) == 6

3. Run your first Test

Bash

users@user-demo pynt-pytest-demo % pytest
========================================== test session starts ===========================================
platform darwin -- Python 3.11.1, pytest-7.3.1, pluggy-1.0.0
rootdir: /Users/demo/pynt-pytest-demo
collected 1 item                                                                                         

tests/test_users.py .                                                                              [100%]

=========================================== 1 passed in 0.33s ============================================
users@user-demo pynt-pytest-demo %

Once our test are working fine , we can move onto next steps to run them with Pynt.

4. Start docker client:

Pynt uses proxy to analyse your API's request and response to find gaps and issues in API security.
That proxy is run in docker container on your local system.

Pynt security testing with pytest architecture

If you don't have docker you can refer to here to install docker client.

5. Run Pytest with pynt command:

To execute API Security tests while running API functional testing PyTest in command line, simply encapsulate your existing command line within the "pynt" command.

Bash

pynt command --cmd "pytest ./tests/test_users.py"

As soon we run execute above command you might get below error for SSL certificate.

Bash

CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate 
(_ssl.c:992)')))

This can either solved by disabling security certificate checks by passing verify=False to request method. or you can also follow Pynt official documentation on their SSL support.

Python

response = get(url, verify=False)

6. Run the Tests:

Execute the pytest command again with within the "pynt" command

Bash

pytest test_api.py --pynt

Pynt will analyze your API endpoint and generate security tests based on your functional test logic. It will identify and report potential vulnerabilities like SQL injection, cross-site scripting (XSS), and authentication bypass.

Bash

users@user-demo pynt-pytest-demo % pynt command --cmd "pytest ./tests/test_users.py"
API Security testing autopilot
Pynt CLI version 0.1.69

Pynt CLI new version is available, upgrade now with:
python3 -m pip install --upgrade pyntcli
Pulling latest docker
Docker pull done
Server is up and running
============================= test session starts ==============================
platform darwin -- Python 3.11.1, pytest-7.3.1, pluggy-1.0.0
rootdir: /Users/demo/pynt-pytest-demo
collected 1 item

tests/test_users.py .                                                    [100%]

=============================== warnings summary ===============================
tests/test_users.py::test_get_user
  /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/urllib3/connectionpool.p
y:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding 
certificate verification is strongly advised. See: 
https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
    warnings.warn(

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
========================= 1 passed, 1 warning in 0.40s =========================


    Functional Tests    
┏━━━━━━━━━━━┳━━━━━━━━━━┓
┃ Endpoints ┃ Requests ┃
┡━━━━━━━━━━━╇━━━━━━━━━━┩
│ 11        │
└───────────┴──────────┘


               Security Tests               
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━┓
┃ ErrorsWarnings ┃ Passed ┃ Did Not Run ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━┩
│ 01201           │
└────────┴──────────┴────────┴─────────────┘
users@user-demo pynt-pytest-demo %

7. Analyse the results:

As soon as the Pynt is done with analysis of API request and endpoints. It will show a summary in terminal itself. But also open a beatifull HTML report on browser for you.

The request has below section that you can analyse to get overview of security issues.

  1. Summary: This include number of request , endpoints and how many security test were executed. Also the count of passed/failed tests

    Pynt report header summary

  2. Details: It also provide details of issue, their effects and how we can fix it.

    Details of pynt issue

This example shows Pynt identifying one potential vulnerabilities in the endpoint. You'll need to investigate and address these vulnerabilities in your actual code.

Remember to adjust the code examples and API endpoint to match your specific use case. By effectively leveraging Pynt and pytest, you can significantly enhance your API security testing and safeguard your applications from potential threats.

I hope this comprehensive guide empowers you to use Pynt with pytest confidently!