Pages

Tuesday, 8 November 2022

API Security Testing with Postman & Pynt? API security testing Tutorial?

 


******If you are preparing for API Testing Interview then do refer the below list of Interview Q&A, which is prepared by industry leaders with 11+ years of experience: API Testing Interview Q&A **

API Security Testing Introduction

In recent times, APIs are emerging as the most used product unit. In simple terms, API helps organisations open up their applications’ data and functionality to external third-party developers and business partners, or to departments within their companies. This allows services to communicate with each other and leverage each other’s data and functionality. 

Attributing to the wide usage of API, it became an easy vector for hackers.The vulnerabilities of API can lead to security failure, data breach, unauthenticated access, and so on. Furthermore, a vulnerable API can cost a company millions of dollars if it goes unchecked. But you already know that for you’re here looking for API security testing pricing.

Research firm Gartner predicts that – By 2022, API abuses will become the most common type of web application attack. Securing them holds paramount importance for the smooth running of a secure digital business. The first step to achieving that is an API security assessment. As we all know, Postman is the most used tool to perform API Testing, so we will try to perform our Security scan on Postman Collections.

Before deep diving into the Security Scan with postman, let’s understand about the security testing.

SDET Interview Question and Answers.  


Table of Contents:

What is API Security testing?

Why Do You Need API Security Testing?

API Security Testing with Postman

Steps to Run Security Testing with Pynt

Benefits of using Pynt:

What is API Security testing?

API security is nothing but securing API endpoints from attackers and building your APIs in a secure fashion.Quite often consumers view API security as a feature of API. It’s not a feature. It’s a different technology. Understand that securing your API requires looking elsewhere, beyond your API itself. We say that API security is a mindset and not a feature.

API security testing begins by defining the API to be tested. Testers provide information on inputs and outputs of the API, using a variety of specification formats including OpenAPI v2 / v3, Postman Collections, and HAR files.


Jenkins Interview Questions and Answers

Appium Interview Questions and Answers


Why Do You Need API Security Testing?

API allows data exchange between applications. If a hacker breaches API security, he/she can access sensitive data stored on your website.

Other bitter consequences of an API security breach could be:

  • Leakage of customer data. This data is then sold on the dark web.

  • Defacement to your website & business. It can severely affect you & your brand’s reputation in the market.

  • The number of users and revenue will take a plunge.

  • Lawsuits (if there is negligence on your behalf).

  • Unauthorised Access

  • Data leakage

  • Sanctioned Fuzzy input

  • Injection Vulnerabilities

  • Parameter Tampering, etc.


API Testing Interview Q&A: Check the link for product companies interview Q&A

API Security Testing with Postman

We all know that Postman is the most used API Testing tool available in the market. IN this section we will explore Pynt which will help us run the Security testing on existing Postman Collections, Isn't it Awesome!

Pynt is an API security solution that generates automated security tests based on your existing functional test collection. Simply input your functional test collection name into the Pynt collection and run the API security test collection in your workspace.

Pynt’s dynamic security testing covers all of the OWASP API Top 10 (https://owasp.org/www-project-api-security), retrieving results about your overall API security in just a few minutes.

Prerequisites:

  1. Postman App:
    Ensure you are working with the Postman app (installed from https://www.postman.com/downloads).
    Please note that the Pynt solution doesn't support the Postman website, so kindly download the Postman app.

  2. Docker Installation:
    Ensure the Docker engine is available and running on your machine (install it from: https://docs.docker.com/engine/install/).  Installation 

  3. Check that your functional test collection is available in your workspace.

  4. Set any required environmental variables for the functional test collection.

  5. Ensure the target is up.


Steps To Run Security Testing

Step-01: 

Open your workspace from the Postman desktop app.

Step-02: 

Import the Pynt Collection for Dry Run purposes. You can do the same by visiting this link: https://www.postman.com/pynt-io/workspace/pynt/overview and then create a fork, refer below screenshot:

 

GIT Interview Questions and Answers

Step-03

To check if the Postman app is successfully started and Docker is up, we need to run the Pynt Collection, click on three Dots and then click on Run Collection as shown in below screenshot:

Step-04

As we haven't started the docker yet so we will get an error as “Pynt container is not running”, check the below screenshot. 

First of all make sure that Docker is installed in your machine, it's very easy to install Docker, we have shared the link in the Prerequisite section.
Let’s start the Docker engine and once you start it, first you will get one screen as below:

Please wait until the Docker is completely up, once the Docker Desktop is up and running, you will able to get the below screen:


 

Step-05

Now run the Pynt docker by executing the following command (port number can be changed if already taken):

  1. Docker Desktop for Windows, Mac, or Linux - run from cmd/terminal: docker run -p 5001:5001 --pull always ghcr.io/pynt-io/pynt:postman-latest(the left port can be changed if already taken on your machine)

  2. Docker engine for Linux - run from terminal: docker run --pull always --network=host ghcr.io/pynt-io/pynt:postman-latest

Since we are showing it on your Mac, go to your Terminal and type the command for Mac mentioned above. Once you run the command you will get the success message as shown below:

Step-06

So now Pynt Docker is up and running, lets execute the Step-3 again and make sure the Pynt collection running, if everything is up and running, then you should be able to get output:

 

Selenium Interview Questions and answers


Step - 07

Now our pre-requisite is done, but before we move forward with the execution of the rest of the steps in the Collection we need to Fork the “goat” project for our understanding, and then setup variables as mentioned below. If you are not aware on how to get the fork, then simply visit the link : https://www.postman.com/pynt-io/workspace/pynt/overview  and refer below screenshot:

  1. Click on the 'Variables' tab of the 'Pynt' collection and fill in the values of the required parameters, in the 'CURRENT VALUE' column:(if you are unable to find the location of Variables, just refer to the image)

    1. API-KEY - your postman API key - If you previously saved and have your API key, enter it here under the 'Current Value' tab. If not, enter https://postman.co/settings/me/api-keys  to generate or regenerate your API key as for security reasons it can only be copied at the time of creation. You won't need to modify this parameter again until the API-key expires.

    2. port - the left port number used in the docker run command (default-5001).

    3. YOUR-COLLECTION- your functional test collection name or the collection UID (both are acceptable, UID is preferred if you have two collections with the same name associated with the API-KEY). Pynt will refer to this collection to generate automated security tests.
      If you wish to have a reference application to test, Pynt provides a vulnerable app example called 'goat' that you can fork from Pynt's public workspace: https://www.postman.com/pynt-io/workspace/pynt and use it here.

    4. scanId - output variable, used internally. Ignore it.

    5. Click 'Save'.

Once the above setup is done, check that your variables section should look like below:

Step-08

Run the 'Pynt' collection to get the security results, you can refer to step-3 to Run the collection, once the execution starts, then check that you should be able to see the execution of the security results for OWASP-10 categories that will appear on the main console screen.:

 

Step-09

Please wait for the entire collection to executed, once the execution is complete you should be able to get Run completed as below:

Step-10

Click on "View Summary" to view the results summary.


Step-11

In order to see the full report, uncollapse the 'Pynt' collection, go to the last request 'Show Report' and click on 'Send'. As shown in the below screenshot:

The above will return the entire report, but remember to choose the 'Visualize' tab on the lower section to see the full report.



* If you modified your test collection in any way, simply re-run Pynt collection.

* Should you need to test another collection, simply update the 

YOUR-COLLECTIONvariable and re-run the 'Pynt' collection.

https://www.youtube.com/watch?v=YWB57GHOPHU 

Benefits of using Pynt:

  1. Eliminating issues from the start

  2. Frictionless testing within existing API testing environments such as Postman or Newman (answers the pain of effort)

  3. Context-aware testing - Pynt generates automated security tests from your functional test stories (answers the pain of lack of context and lack of knowledge)

  4. Fast and accurate security test results within minutes (answers the pain of time-consuming)

  5. Frictionless integration into existing CI/CD pipelines and tools (answers the pain of repeatedly end2end)

  6. zero false positives (answers the pain of effort, focus, and prioritization)

  7. Dynamic security tests on internal, external, and third-party APIs for any protocol (answers the pain of coverage)

  8. Prevents Sensitive data, fraud, and privileged escalation

  9. Pen test alternative

  10. Answers compliance needs

 

TIPS 

See also screenshot examples:

Image%201%20-%20Generate/copy%20API%20Key%20if%20forgotten

Image 1 - Generate/copy API Key if forgotten

Image%202%20-%20Enter%20'Pynt'%20collection%20parameters

Image 2 - Enter 'Pynt' collection parameters

Image%203%20-%20Run%20the%20'Pynt'%20collection%20to%20generate%20full%20OWASP-10%20API-security%20tests%20for%20your%20collection

Image 3 - Run the 'Pynt' collection to generate full OWASP-10 API-security tests for your collection

Image%204%20-%20View%20the%20API%20security%20test%20results

Image 4 - View the API security test results

Image%205%20-%20View%20results%20summary

Image 5 - View results summary

Image%206%20-%20View%20visualize%20report%20for%20security%20summary

Image 6 - View visualize report for security summary

Image%207%20-%20View%20visualize%20report%20for%20detailed%20findings

Image 7 - View visualization report for detailed findings

*******************************************************************
For any doubts or career guidance, reach out to me 

****************************************

TOP 15 BDD - CUCUMBER Interview Q&A


************************************************

✍️AUTHORLinkedIn Profile

************************************************

Learn (API-Microservice)Testing+ Selenium UI Automation-SDET with Self Paced Videos prepared by FAANG employees and LIVE Doubt Session 

SDET TRANING VIDEOS AVAILABLE with Live Doubt Session(course-1 below,API TRaining Videos With Class Notes and Coding Set) and (API+UI, both course-1 & 2 below) Check Training Page for Course Content or reach out @whatsapp +91-9619094122. 
This includes classnotes, 300+ interview questions, 3 projects, Java Coding question set for product companies along with career guidance from FAANG employees for Automation and SDET.

For more details whatsapp : https://lnkd.in/dnBWDM33

*************************************************

SeleniumWebdriver Automation Testing Interview Questions:

https://automationreinvented.blogspot.com/search/label/SeleniumWebdriver

API Testing Interview Question Set:

https://automationreinvented.blogspot.com/2022/03/top-80-api-testing-interview-questions.html

DevOps Interview Q&A:

https://automationreinvented.blogspot.com/2021/11/top-11-devops-interview-questions-and.html 

Kubernetes Interview Question Set

https://automationreinvented.blogspot.com/search/label/Kubernetes

Docker Interview Question Set

https://automationreinvented.blogspot.com/Docker

Linux Interview question Set

https://automationreinvented.blogspot.com/search/label/Linux

Automation Testing/SDET Framework Design

https://automationreinvented.blogspot.com/search/label/FrameworkDesign

Java Related Interview Question Set

https://automationreinvented.blogspot.com/search/label/Java

GIT Interview Question Set:

https://automationreinvented.blogspot.com/2021/09/top-40-git-interview-questions-and.html

Coding Interview Question Set:

https://automationreinvented.blogspot.com/search/label/Coding%20Questions

Mobile Testing Interview Question Set:

https://automationreinvented.blogspot.com/search/label/Mobile%20Testing

Python Interview Question Set for QAE - SDET - SDE:

https://automationreinvented.blogspot.com/search/label/Python


 


 


No comments:

Post a Comment