Our great sponsors
ZAP | puppeteer | |
---|---|---|
61 | 356 | |
11,965 | 86,704 | |
1.6% | 0.5% | |
9.2 | 9.9 | |
3 days ago | 2 days ago | |
Java | TypeScript | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ZAP
-
Bruno
I use ZAP [1] with the OAST add-on for this at the moment. I admit the UX isn't perfect, but it serves my purpose.
If I also want control over the responses (e.g. return a 401 status code for every fifth request), I have a custom extender script [2] for that.
-
What is API Discovery, and How to Use it to Reduce Your Attack Surface
Implement tools like Burp Suite or OWASP ZAP for in-depth security scanning of your APIs.
-
Best Hacking Tools for Beginners 2024
OWASP ZAP
-
Autorize – The most popular tool to discover AuthZ/AuthN flaws
The use of capital punctuation implies a warning? an alert? Would this same response be warranted for Burp which is also a commercial, closed source product?
If this is an issue for some, then ZAP being open source[1] maybe favourable.
That said, Burp is the defacto tool for a reason - it's best in class. Every pentester I know, including myself, has a paid subscription. The fact that it's closed source hasn't been an issue.
-
Show HN: Pākiki Proxy – An intercepting proxy for penetration pesting
Briefly reviewed your product. Seems like OWASP ZAP is your competition: https://www.zaproxy.org/
It runs entirely in the browser so it uses the browser "native" frameworks.
-
Vulnerability Scanning of Node.js Applications
Dynamic analysis involves testing your application while it's running. Tools like OWASP ZAP and Burp Suite can help identify vulnerabilities like SQL injection or Cross-Site Scripting by sending malicious requests to your application and analyzing the responses.
-
Is this fraud? And if so, to what extent am I responsible?
> Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
I agree, but if the RFP question was phrased "have you done penetration testing?" then that leaves a lot of room for embellishment. If the question is "do you have SOC2 certification?" and you answer "yes" untruthfully, then that is a lie. If they ask for the SOC2 or pentest report and you give them a falsified document, that's where you're (probably) committing fraud.
> One of the most important part of pen tests is that they are external.
AWS/Google/etc have internal security teams doing their pen tests, so no, this isn't true.
> Just doing your job as an engineer and looking for bugs is not a pen test.
What about an engineer spending an afternoon running ZAP[0]?
> It's like saying, "what is an audit really? We have accountants and they check our books for anomalies."
Yeah, which is why you don't just ask a company "do you keep track of your finances?" if you're investing in them, you request external auditors.
-
The essential security checklist for user identity
In addition to manual security reviews, you can also implement DevSecOps practices to automate security checks. For example, you can set up a CI/CD pipeline to run static code analysis tools like CodeQL and automatically run penetration tests using tools like OWASP ZAP.
-
The 36 tools that SaaS can use to keep their product and data safe from criminal hackers (manual research)
OWASP ZAP (open source)
-
How can i make web server from scratch
I would start by installing Burp Suite or OWASP Zap and seeing what the actual messages look like
puppeteer
-
Learn Automated Testing At Home: A Beginner's Guide
1.Puppeteer: Puppeteer is a Node library that provides a high-level API to control headless Chrome or Chromium using the DevTools Protocol. Key Features: More control over Chrome. Enables web scraping. Allows taking screenshots and generating PDFs for UI testing. Measures load times through the Chrome Performance Analysis tool
-
HTML to PDF renderers: A simple comparison
HTML to PDF conversion is a common requirement in modern web applications. It allows users to save web pages, reports, and other content in a format that is easy to share and print. There are many libraries and services available for converting HTML to PDF, each with its own strengths and weaknesses. In this article, we will compare some of the most popular HTML to PDF renderers in Node.js, including Puppeteer, Playwright, node-html-pdf, and Onedoc.
-
Let's build a screenshot API
Playwright seems to be a superior library for working with headless browsers than Puppeteer, but I will go with Puppeteer.
-
JS Toolbox 2024: Bundlers and Test Frameworks
Puppeteer is a Node library that provides a high-level API to control headless Chrome or Chromium. It's primarily used for browser automation, making it a powerful tool for end-to-end testing of web applications, taking screenshots, and generating pre-rendered content from web pages.
-
Next.js 14 Booking App with Live Data Scraping using Scraping Browser
Puppeteer
-
Eleve o nível de suas Aplicações Javascript com Load Test
Website: pptr.dev Repositório: GitHub
-
Pyppeteer Tutorial: The Ultimate Guide to Using Puppeteer with Python
# Define variables PYTHON := python3 POETRY := poetry PYTEST := pytest PIP := pip3 PROJECT_NAME := web automation with Pyppeteer .PHONY: install install: $(POETRY) install @echo "Dependency installation complete" $(PIP) install -r requirements.txt @echo "Set env vars LT_USERNAME & LT_ACCESS_KEY" # Procure Username and AccessKey from https://accounts.lambdatest.com/security export LT_USERNAME=himansh export LT_ACCESS_KEY=Ia1MiqNfci .PHONY: install poetry-install: poetry install .PHONY: test test: export NODE_ENV = test .PHONY: test pyunit-pyppeteer: - echo $(EXEC_PLATFORM) - $(PYTHON) tests/pyunit-pyppeteer/test_pyunit_pyppeteer.py .PHONY: test pytest-pyppeteer: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s -n 2 tests/pytest-pyppeteer/test_pytest_pyppeteer_1.py \ tests/pytest-pyppeteer/test_pytest_pyppeteer_2.py .PHONY: test pyunit-pyppeteer-browser-session: - echo $(EXEC_PLATFORM) - $(PYTHON) tests/starting-browser-session/pyunit/test_pyppeteer_browser_session.py .PHONY: test pytest-pyppeteer-browser-session: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s \ tests/starting-browser-session/pytest/test_pyppeteer_browser_session.py .PHONY: test asyncio-run-pyppeteer-browser-session: - echo $(EXEC_PLATFORM) - $(PYTHON) tests/starting-browser-session/asyncio_run/test_pyppeteer_browser_session.py .PHONY: test asyncio-run-complete-pyppeteer-browser-session: - echo $(EXEC_PLATFORM) - $(PYTHON) tests/starting-browser-session/\ asyncio_run_until_complete/test_pyppeteer_browser_session.py .PHONY: test pyppeteer-button-click: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/button-click/test_page_class_click.py .PHONY: test pyppeteer-activate-tab: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/active-tab/test_page_class_bringtofront.py ###### Testing Custom Environment - https://miyakogi.github.io/pyppeteer/reference.html#environment-variables # Available versions: 113, 121, and default .PHONY: test pyppeteer-custom-chromium-version: - echo $(EXEC_PLATFORM) - echo 'Browser Version:' $(CHROMIUM_VERSION) - $(PYTEST) --verbose --capture=no -s tests/custom-configuration/test_launcher_exe_path.py ###### Testing Headless - https://miyakogi.github.io/pyppeteer/reference.html#launcher # Available values: headless and non-headless .PHONY: test pyppeteer-custom-browser-mode: - echo $(EXEC_PLATFORM) - echo $(BROWSER_MODE) - $(PYTEST) --verbose --capture=no -s tests/custom-configuration/test_launcher_headless.py .PHONY: test pyppeteer-generate-pdf: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/generate-pdf/test_page_class_pdf.py .PHONY: test pyppeteer-generate-screenshot: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/generate-screenshots/test_page_class_screenshot.py .PHONY: test pyppeteer-cookies: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/handling-cookies/test_page_class_cookies.py .PHONY: test pyppeteer-dialog-box: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/handling-dialog-box/test_handling_dialog_box.py .PHONY: test pyppeteer-iframe: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/handling-iframe/test_page_class_iframe.py # Like Puppeteer, Navigation operations mentioned below only work in Headless mode # goBack: https://miyakogi.github.io/pyppeteer/reference.html#pyppeteer.page.Page.goBack # goForward: https://miyakogi.github.io/pyppeteer/reference.html#pyppeteer.page.Page.goForward # Bug Link # https://github.com/puppeteer/puppeteer/issues/7739 # https://stackoverflow.com/questions/65540674/how-to-error-check-pyppeteer-page-goback .PHONY: test pyppeteer-navigate-ops: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/navigate-operations/test_page_class_navigation_ops.py .PHONY: test pyppeteer-request-response: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/request-response/test_page_class_req_resp.py .PHONY: test pyppeteer-viewport: - echo $(EXEC_PLATFORM) - echo $(BROWSER_MODE) - $(PYTEST) --verbose --capture=no -s tests/setting-useragent-viewports/\ test_page_class_useragent_viewport.py::test_mod_viewport .PHONY: test pyppeteer-non-headless-useragent: - echo $(EXEC_PLATFORM) - echo $(BROWSER_MODE) - $(PYTEST) --verbose --capture=no -s tests/setting-useragent-viewports/\ test_page_class_useragent_viewport.py::test_get_nonheadless_user_agent .PHONY: test pyppeteer-headless-useragent: - echo $(EXEC_PLATFORM) - echo $(BROWSER_MODE) - $(PYTEST) --verbose --capture=no -s tests/setting-useragent-viewports/\ test_page_class_useragent_viewport.py::test_get_headless_user_agent .PHONY: test pyppeteer-dynamic-content: - echo $(EXEC_PLATFORM) - echo $(BROWSER_MODE) - $(PYTEST) --verbose --capture=no -s -n 4 tests/handling-dynamic-content/\ test_page_class_lazy_loaded_content.py .PHONY: test pyppeteer-web-scraping: - echo $(EXEC_PLATFORM) - $(PYTEST) --verbose --capture=no -s tests/web-scraping-content/\ test_scraping_with_pyppeteer.py .PHONY: clean clean: # This helped: https://gist.github.com/hbsdev/a17deea814bc10197285 find . | grep -E "(__pycache__|\.pyc$$)" | xargs rm -rf rm -rf .pytest_cache/ @echo "Clean Succeeded" .PHONY: distclean distclean: clean rm -rf venv .PHONY: help help: @echo "" @echo "install : Install project dependencies" @echo "clean : Clean up temp files" @echo "pyunit-pyppeteer : Running Pyppeteer tests with Pyunit framework" @echo "pytest-pyppeteer : Running Pyppeteer tests with Pytest framework" @echo "pyunit-pyppeteer-browser-session : Browser session using Pyppeteer and Pyunit" @echo "pytest-pyppeteer-browser-session : Browser session using Pyppeteer and Pytest" @echo "asyncio-run-pyppeteer-browser-session : Browser session using Pyppeteer (Approach 1)" @echo "asyncio-run-complete-pyppeteer-browser-session : Browser session using Pyppeteer (Approach 2)" @echo "pyppeteer-button-click : Button click demo using Pyppeteer" @echo "pyppeteer-activate-tab : Switching browser tabs using Pyppeteer" @echo "pyppeteer-custom-chromium-version : Custom Chromium version with Pyppeteer" @echo "pyppeteer-custom-browser-mode : Headless and non-headless test execution with Pyppeteer" @echo "pyppeteer-generate-pdf : Generating pdf using Pyppeteer" @echo "pyppeteer-generate-screenshot : Generating page & element screenshots with Pyppeteer" @echo "pyppeteer-cookies : Customizing cookies with Pyppeteer" @echo "pyppeteer-dialog-box : Handling Dialog boxes with Pyppeteer" @echo "pyppeteer-iframe : Handling iFrames with Pyppeteer" @echo "pyppeteer-navigate-ops : Back & Forward browser operations with Pyppeteer" @echo "pyppeteer-request-response : Request and Response demonstration using Pyppeteer" @echo "pyppeteer-viewport : Customizing viewports using Pyppeteer" @echo "pyppeteer-non-headless-useragent : Customizing user-agent (with browser in headed mode) using Pyppeteer" @echo "pyppeteer-headless-useragent : Customizing user-agent (with browser in headless mode) using Pyppeteer" @echo "pyppeteer-dynamic-content : Handling dynamic web content using Pyppeteer" @echo "pyppeteer-web-scraping : Dynamic web scraping using Pyppeteer"
-
How to build a WhatsApp AI assistant
This library works by creating an instance of WhatsApp web running inside an instance of headless chrome automated by puppeteer. In my testing, I ran into tons of compatibility issues when trying to use these dependencies inside anything other than a bare-bones Node.js + express server. Also, we can’t spin up a new instance of chrome and WhatsApp web each time a user sends a message, this will exhaust our allowed WhatsApp connections (4 max), not to mention that doing this will make the response times painfully slow.
-
Show HN: Quetta – A privacy-first web browser with enhanced ad blocker inside
It's a tricky balance to strike. Obviously, krono, you're right: ff we're being generous the app launch GA tracker they use, they probably consider it shares nothing of value or identifiable, but strictly speaking it's not true that no data shared.
I think the audit you do is actually valuable. In my company's product, BrowserBox^0 (also a browser, funnily enough! focused on remote isolation, privacy & security, and including Tor support), we don't collect anything but we want to add some kind of telemetry regarding usage so we can even basically know how many daily users we have (outside of licensed channels where it's tracked in the contract).
Even tho we don't collect anything, we don't advertise "Zero data collection" anywhere, because of how sensitive I think this topic is. I think we really need to be solid on it, if we're going to say that. And to cover us, in the privacy policy, we say "we may collect some data for operational purposes to ensure the continued running of the service" (paraphrasing), even tho we don't.
One niggle is that we use Chrome in headless mode (can also use Edge / Chromium), and while we appreciate the auto updating quality that Chrome has for security patches, we're cautious that maybe Chrome still collects telemetry and sends it to Google even with headless and correct flags (see for instance: https://github.com/puppeteer/puppeteer/blob/afb7d9eb5854e851...)
I know it's not your job...but what's your advice on how to proceed specifically?
-
How to track anything on the internet or use Playwright for fun and profit
If you've read my previous blog posts or ever experimented with Secutils.dev, you might be familiar with the web resources tracking utility. This utility allows you to monitor changes in web page resources, specifically JavaScript and CSS. While it has a somewhat narrow security-focused purpose — detecting broken or tampered web application deployments — it may not be the type of tool you use daily. Nevertheless, it serves as a good example of what you can build with modern browser automation tools like Playwright and Puppeteer. If you're interested in digging deeper into this specific utility, refer to the following blog post series:
What are some alternatives?
nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.
axios - Promise based HTTP client for the browser and node.js
SonarQube - Continuous Inspection
Nightmare - A high-level browser automation library.
mitmproxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
WKHTMLToPDF - Convert HTML to PDF using Webkit (QtWebKit)
SQLMap - Automatic SQL injection and database takeover tool
Playwright - Playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API.
HTML Purifier - Standards compliant HTML filter written in PHP
puppeteer-extra - 💯 Teach puppeteer new tricks through plugins.
awesome-dva - A curated list of "damn vulnerable apps" and exploitable VMs / wargames. See contributing.md for information.
karma - Spectacular Test Runner for JavaScript