Will Playwright replace Puppeteer for bad bot play-acting?

Scraping Bot management

Bad bots (such as ticket scalping bots) are used for a multitude of nefarious purposes: web scraping, credential stuffing, DDoS attacks, and so on and so forth. However, the online businesses they are targeting are increasingly putting up defenses in the shape of specialized bot protection solutions.

One of the biggest challenges for bad bot developers is therefore to bypass the security solutions that keep unmasking and blocking them. To avoid being detected, their best bet is to mimic legitimate human traffic as convincingly as possible.

Headless Chrome, instrumented with the Node.js-based browser automation library Puppeteer, has become the go-to solution for creating human-like bots. Puppeteer provides an effective and easy way to create bots whose fingerprints are extremely similar to those of normal Chrome browsers.

Now, Microsoft has launched a new open-source instrumentation framework. It’s called Playwright, and it will enable bad bots to exhibit even fewer of the subtle differences that enable bot detection solutions to distinguish between bots and humans. As a result, detecting that the browser is automated will be even more difficult than before.

What is Playwright?

Playwright is an open-source instrumentation framework which allows developers to control a browser and automate actions with JavaScript. It’s very similar to Puppeteer, and for good reason: Playwright was built by the same team that originally created Puppeteer at Google, but which has since ventured over to Microsoft.

Like Puppeteer, Playwright provides full access to browser features and can run in fully headless mode (emulating browser functionality) on a remote server. But while Puppeteer is only compatible with Chrome and the Nightly version of Firefox (i.e. the beta), Playwright supports both Headless Chrome, Headless Firefox and Webkit—in the same API.

In the development team’s own words, “Playwright is focused on enabling [a] cross-browser web automation platform that is ever-green, capable, reliable and fast. Our primary goal with Playwright is to improve automated UI testing by eliminating flakiness, improving the speed of execution and offering insights into the browser operation.”

Starting with a clean slate, the developers were able to incorporate lessons learnt and introduce improvements that would have required breaking changes to the Puppeteer API. If Playwright keeps its promises, it might ultimately replace Puppeteer.

Playwright will make accurate bot detection even trickier

Playwright’s main purpose is to facilitate automated UI testing, and frontend testing professionals have greeted the release with considerable enthusiasm.

However, they are not the only ones drooling over the new opportunities that Playwright has to offer.

As mentioned, Puppeteer is widely used to conceal the nature of bad bots and enable them to masquerade as human traffic. Playwright will take this ability one step further, by making it extremely easy for bot developers to switch between different browsers for their bots.

For ill-intentioned actors that want their bot activity to remain undetected, the very practical advantage is that they no longer need to forge their fingerprints to make it look like their requests come from different browsers—because they actually will.

Moreover, Playwright ships with modified versions of Chrome, Firefox and Webkit (Safari). While Playwright with Headless Chrome is quite similar to Puppeteer with Headless Chrome, the modifications for Firefox and Webkit introduce additional difficulties for detection:

The Firefox browser has a legitimate user agent
In both Firefox and Webkit, navigator.webdriver = false, just like in browsers used by humans.

Since Playwright’s API is very similar to Puppeteer’s, bot developers can quite easily migrate from one to the other.

What all this means is that bots leveraging Playwright will be even more difficult to detect than the already very stealthy Puppeteer bots, and competent hackers will quickly learn how to use the new framework to their advantage. At DataDome, we expect to see a surge of traffic to our customers’ websites from bots using Playwright very soon.

What will it take to detect bots using Playwright?

By leveraging instrumentation frameworks such as Puppeteer and, very soon, Playwright, bots can use (almost) the exact same technologies as humans. Coupled with access to an extremely large pool of IPs that they can rotate randomly for each request, this makes them practically indistinguishable from human visitors.

Classic defense strategies, like user agent block-listing or testing the presence of attributes such as navigator.webdriver, are no longer a match for bot operators intent on concealing their activity. So what will it take to detect and deflect bots created with Playwright?

First of all, a specialized bot protection solution is absolutely mandatory. Conventional cybersecurity tools, such as web application firewalls (WAFs), are simply not designed for the kind of sophisticated behavioral analysis that is required here. Staying safe from the latest generation of bad bots without implementing a purpose-built solution is just illusory.

Secondly, your bot detection solution must have powerful client-side detection capabilities. Server-side fingerprinting is necessary and useful for detecting less advanced bots, but bots leveraging Playwright can simply not be detected without sophisticated client-side behavioral analysis.

We can’t go more into detail without giving bad bot developers pointers to where they should focus their efforts next. Suffice to say that the DataDome detection engine is ready for Playwright: our algorithms have been updated with Playwright-specific signals so that our customers’ websites, mobile apps and APIs will continue to be protected from all automated threats.

Would you like to stay a step ahead of the next big automated threat? Start your DataDome 30-day free trial today, or contact us to request a demo.