Puppeteer: An Automation Framework Built by Google
Since its initial V1 release in January 2018, Puppeteer has skyrocketed to become one of the two most popular and ubiquitous automation frameworks. So, what is Puppeteer? And why do people love it? Google designed Puppeteer to provide a simple yet powerful interface in NodeJS for automating tests and various tasks using the Chromium browser engine.
This created a situation where trade offs had to be made: speed vs. reliability. Puppeteer aimed to remove this trade off – by enabling developers to leverage the Chromium browser environment to run their tests and by giving them the flexibility to leverage headless or headful browsers that run on the same underlying platform as their users.
Puppeteer was also built to be very developer friendly. This meant that the developers who maintained the popular testing frameworks, such as Mocha, were incentivized to build in support for Puppeteer. This led to a huge uptick in popularity amongst the developer community as the tool was ubiquitously supported.
Microsoft Playwright: Cross Browser Automation Framework
Given how successful the approach of a simple developer friendly automation framework was, others have followed suit. For example, in 2020 Microsoft released Playwright (created by the same team that originally created Puppeteer at Google), an automation framework that allows developers to test across browsers, which will continue to democratize the adoption of sophisticated automation tools across the globe.
Chrome 89: An “Easy Button” for Creating Puppeteer Scripts
Puppeteer in the Wrong Hands
Just as developers who want to automate tests can reap the benefits of a simple yet powerful automation framework, folk with more nefarious intentions can as well. These frameworks give our adversaries the power to run the same browsers that our end users run, enabling them to evade detection and blend in with all the noise that exists on the internet today.
For example, the evolution of the Puppeteer Extra Stealth and Puppeteer Stealth Fork in GitHub have enabled many attacks to evade the detection of many legacy bot detection solutions. Puppeteer Stealth provides an ecosystem for users to build advanced scripts that are capable of defeating legacy solutions. The developers have built in CAPTCHA defeating modules as well as many code improvements that evade many common detection methods.
Automation DevTools such as Puppeteer and Playwright, when in the wrong hands to conduct automated bot attacks, are rapidly becoming one of the most significant threats to online businesses. As it stands, Puppeteer Extra Stealth plugin downloads typically range from 250,000 to 500,000 times a month and are hovering an average of 10,000 to 20,000 per day so far this year.
Read our blog, “How to Stay Ahead of Adversaries Using Open Source DevTools and Antidetect Browsers to Automate Fraud” to learn more about this topic. You will see how modern client-side interrogation methods can detect the use of these browser automation frameworks that fly beneath the radar of traditional bot detection solutions.
*** This is a Security Bloggers Network syndicated blog from Kasada authored by Sam Crowther. Read the original post at: https://www.kasada.io/what-is-puppeteer-developers-fraudsters-love-it/