Security Test Your API Endpoints With Pynt
4 min read
Have you ever been worried about the security of your API endpoints? This is the question that raises in our minds very few times. The reason behind this is very simple, nobody cares about security until an incident happens. In DishHome and in dish home ott API had been compromised. A bug bounty is given to the person who has given information about security flaws in our API. It is obvious that when you are a junior developer you focus most of your time on how to do it rather than how to secure it. If you really don't know how to do it then what you are going to secure at all? When you are a beginner you write code to login, code to generate bearer tokens and you ignore all the details behind you. That step might be good because when you are learning, it may be overwhelming when you focus a lot on details because you have to learn to make things work first. But once you become confident in doing such work then you need to start to focus on security factors also. If you don't limit the rate of generation of bearer tokens then users may keep on generating tokens which may over-traffic our web servers. Every year top 10 security vulnerabilities are listed on the OWASP website which is also called OWASP 10 vulnerabilities. OWASP 10 commonly consists of security threats like broken authentication, SQL injections, cross-site request forgery, and many others.
In this article, I going to guide you to get started with pynt to security test your API. So, you are thinking what a hell is in the earth is pynt. Pynt is a free API security solution that generates automated security tests from your existing functional test collection in a few minutes. Pynt (pynt.io) is a free API security solution that runs seamlessly in Postman. It generates automated security tests based on your existing functional test collection. Simply input your functional test collection name into the Pynt collection and run it to get the security testing coverage for your
Tools you need to install
Ensure you are working with the Postman app (install from https://www.postman.com/downloads). Please note that the Pynt solution is based on docker and requires access to the local host, so it doesn't support the Postman web.
Ensure the Docker engine is available and running on your machine (install it from: https://docs.docker.com/engine/install/).
Open your workspace from the Postman desktop app.
Download and run the Pynt docker by executing the following command (port number can be changed if already taken):
Docker Desktop for Windows, Mac, or Linux - run from cmd/terminal:
docker run -p 5001:5001 --pull always[
ghcr.io/pynt-io/pynt:postman-latest(the](ghcr.io/pynt-io/pynt:postman-latest(the) left port can be changed if already taken on your machine)
Docker engine for Linux - run from terminal:
docker run --pull always --network=host
This step should be repeated if you restarted your PC.
Run Pynt docker
How to Run:
Make sure Pynt's docker is still up.
Click on the 'Variables' tab of the 'Pynt' collection and fill in the values of the required parameters, in the 'CURRENT VALUE' column:
API-KEY- your postman API key - If you previously saved and have your API key, enter it here under the 'Current Value' tab. If not, enter https://postman.co/settings/me/api-keys to generate or regenerate your API key as for security reasons it can only be copied at the time of creation. You won't need to modify this parameter again until the API-key expires.
PYNT-PORT- the left port number used in the docker run command (default-5001).
YOUR-COLLECTION- your functional test collection name, or the collection UID (both are acceptable, UID is preferred if you have two collections with the same name associated with the API-KEY). Pynt will refer to this collection to generate the automated security tests.
If you wish to have a reference application to test, Pynt provides a vulnerable app example called 'goat' that you can fork from Pynt's public workspace: https://www.postman.com/pynt-io/workspace/pynt and use it here.
scanId- output variable, used internally. Ignore.
Run the 'Pynt' collection to get the security results:
The security results for OWASP-10 categories will appear on the main console screen.
Click on 'View Summary' to view the results summary.
In order to see the full report, uncollapse the 'Pynt' collection, go to the last request 'Show Report' and click on 'Send'. choose the 'Visualize' tab on the lower section to see the full report.
If you modified your test collection in any way, simply re-run Pynt collection.
Should you need to test another collection, simply update the
YOUR-COLLECTIONvariable and re-run the 'Pynt' collection.
See also screenshot examples:
Image 1 - Generate/copy API Key if forgotten
Image 2 - Enter 'Pynt' collection parameters
Image 3 - Run the 'Pynt' collection to generate full OWASP-10 API-security tests for your collection
Image 4 - View the API security test results
Image 5 - View results summary
Image 6 - View visualize report for security summary
Image 7 - View visualize report for detailed findings