The app & CLI tool to test API endpoint speed

What is Clobbr ?

Test your API endpoints to see how well they perform under multiple request in sequence or parallel ways

How to Start ?

Download on the Mac App Store or Microsoft Store or get it from npm

Note : Install the node.js before you start

Command Line (cli)

npx @clobbr/cli run --url "https://reqres.in/api/users?page=1"

Usage Examples for cli

Iterations

you can define the number of iteration to execute the API

by default it will execute for 10 iterations

npx @clobbr/cli run --url "https://reqres.in/api/users?page=1" --iterations 25

Send requests in Parallel

you can run the api request in parallel mode also using

npx @clobbr/cli run --url "https://reqres.in/api/users?page=1" --parallel

Summary Table Report

we can generate the summary table report format as well by running below command

npx @clobbr/cli run --url "https://reqres.in/api/users?page=1" --table "full"

we can generate the compact report as well running below command

npx @clobbr/cli run --url "https://reqres.in/api/users?page=1" --table "compact"

Different Request Methods

GET is used as the default method, but we can pass other request methods as well such as POST, PUT, PATCH, DELETE

npx @clobbr/cli run --url "https://reqres.in/api/users" --method "POST"

Sending Headers

Create headers in JSON file and pass the file path like below

npx @clobbr/cli run --url "https://reqres.in/api/users" --method "POST" --headersPath "location of json"

Send JSON Payload

Create request payload in JSON file and pass the file path like below

npx @clobbr/cli run --url "https://reqres.in/api/users" --method "POST" --dataPath "location of json"

Results in different file formats

Results will be shown in a human-readable format by default, but you can also get results in JSON, YAML and CSV format

npx @clobbr/cli run --url "https://reqres.in/api/users" --method "POST" --outputFormat json --outputFile

Run checks against results

Set target values for percentage of success (pctOfSuccess), mean (ms), median (ms), standardDeviation (stdDev in ms) and supported quantiles in ms (q5, q50, q95, q99)

npx @clobbr/cli run --url "https://reqres.in/api/users?page=1" --checks mean=200 median=200 stdDev=40 pctOfSuccess=95

References

Clobbr GitHub

Clobbr YouTube

API Security Testing Introduction

In recent times, APIs are emerging as the most used product unit. In simple terms, API helps organizations open up their applications’ data and functionality to external third-party developers and business partners, or to departments within their companies. This allows services to communicate with each other and leverage each other’s data and functionality.

Attributing to the wide usage of API, it became an easy vector for hackers. The vulnerabilities of API can lead to security failure, data breach, unauthenticated access, and so on. Furthermore, a vulnerable API can cost a company millions of dollars if it goes unchecked. But you already know that for you’re here looking for API security testing pricing.

Table of Contents:

• What is API Security testing?
• Why is API security testing important?
• What are the benefits of using API security testing?
• What is Pynt ?
• Pynt Setup

What is API Security testing?

API security is nothing but securing API endpoints from attackers and building your APIs in a secure fashion. Quite often consumers view API security as a feature of API. It’s not a feature. It’s a different technology. Understand that securing your API requires looking elsewhere, beyond your API itself. We say that API security is a mindset and not a feature.

API security testing begins by defining the API to be tested. Testers provide information on inputs and outputs of the API, using a variety of specification formats including OpenAPI v2 / v3, Postman Collections, and HAR files.

Why is API security testing important?

APIs are the heart of many applications, providing developers with powerful interfaces to the services an organization has to offer. Ensuring that APIs are conformant to published specifications and are resilient to bad and potentially malicious input is critical to an organization’s overall security.

Traditional dynamic application security testing (DAST) scanners cannot cover APIs completely; they cover only a small portion of them. If an organization’s front end does not interact with all API endpoints, traditional DAST scanners will miss them. It is therefore essential to adopt a modern, dynamic API security testing strategy that targets issues in all an API’s endpoints.

What are the benefits of using API security testing?

At the most basic level, API security testing helps identify and prevent vulnerabilities and their associated potential organizational risk.

Specifically, API security testing is fine-tuned to both the API being tested and an organization’s overall strategy and best practices. API scanners work at a deeper level, examining the APIs that power single-page web apps, IoT devices, or mobile apps. By understanding what an API expects as input, API scanners can intelligently fuzz data to uncover hidden bugs.

API security testing tools also help enforce the correctness of an API, scanning the business logic of an API rather than just the input validation provided by the front end.

API security testing can also help identify where an API diverges from published API specifications. For example, if a specific endpoint should respond with a particular HTTP status but another is detected during a scan, the testers will alert the appropriate stakeholder. This helps ensure that the developers who leverage the APIs have an experience consistent with published specifications.

What is Pynt?

Pynt is API security testing solution enables developer and testers it run the security tests against their APIs to find and mitigate vulnerabilities throughout the development lifecycle.

Why Pynt?

• Pynt can be used by Developers, Testers, AppSec, DevSecOps and CISOs
• Pynt’s dynamic security testing covers all the OWASP API Top 10, retrieving results about your overall security in just a few minutes
• Pynt is a free API security testing solution. Pynt brings API security to developers and testers
• Pynt empowers developers and testers to build secure APIs from the very start of the development process
• Pynt’s developer-first approach allows organizations to secure the assets behind their APIs before they are released into production, ensuring that their products are secure at their most vulnerable components — APIs
• Pynt seamlessly integrates into existing development tools and CI/CD workflows

How to Use Pynt?

• From Postman App
• As Newman CLI
• As part of GitHub actions

Pynt Setup

Prerequisites:

• Ensure you are working with the Postman app (install from https://www.postman.com/downloads). Please note that the Pynt solution is based on docker and requires access to the local host, so it doesn’t support the Postman web.
• Ensure the Docker engine is available and running on your machine (install it from: https://docs.docker.com/engine/install/).
• Check that your functional test collection is available in your workspace.
• Set any required environment variables for the functional test collection.
• Ensure the target is up.

Fork Pynt Collection from Postman

• Start from Pynt website (www.pynt.io).
• Click ‘Run in Postman’ to enter Pynt public workspace @ Postman or go to this link
• Fork the ‘Pynt’ collection to your workspace.
• If you wish to have a reference app to test, fork also the ‘goat’ collection to your workspace.
• Open your workspace from the Postman desktop app.
• Click on Pynt’s collection documentation (right tab icon) and proceed with the instructions.

Run Pynt Container

Download and run the Pynt docker by executing the following command (port number can be changed if already taken)

1. Docker Desktop for Windows, Mac, or Linux — run from cmd/terminal: docker run -p 5001:5001 --pull always ghcr.io/pynt-io/pynt:postman-latest(the left port can be changed if already taken on your machine)
2. Docker engine for Linux — run from terminal: docker run --pull always --network=host ghcr.io/pynt-io/pynt:postman-latest

make sure you have started the docket instance

Check the docker for the container status

Run Pynt Collection

Make sure Pynt docker is up

Click on the ‘Variables’ tab of the ‘Pynt’ postman collection and fill in the values of the required parameters, in the ‘CURRENT VALUE’ column

1. API-KEY — your postman API key — If you previously saved and have your API key, enter it here under the ‘Current Value’ tab. If not, enter https://postman.co/settings/me/api-keys to generate or regenerate your API key as for security reasons it can only be copied at the time of creation. You won’t need to modify this parameter again until the API key expires
2. port — the left port number used in the docker run command (default-5001)
3. YOUR-COLLECTION- your functional test collection name, or the collection UID (both are acceptable, UID is preferred if you have two collections with the same name associated with the API-KEY). Pynt will refer to this collection to generate the automated security tests. If you wish to have a reference application to test, Pynt provides a vulnerable app example called ‘goat’ that you can fork from Pynt’s public workspace: https://www.postman.com/pynt-io/workspace/pynt and use it here
4. scanId — output variable, used internally. Ignore
5. Click ‘Save’

• If you modified your test collection in any way, simply re-run Pynt collection.
• Should you need to test another collection, simply update the YOUR-COLLECTION variable and re-run the ‘Pynt’ collection.

View Results

Run the Pynt collection to get the security results

1. The security results for OWASP-10 categories will appear on the main console screen.
2. Click on ‘View Summary’ to view the results summary.
3. In order to see the full report, uncollapse the ‘Pynt’ collection, go to the last request ‘Show Report’ and click on ‘Send’. choose the ‘Visualize’ tab on the lower section to see the full report.

Reference Video