Interesting article. I'm going to have to look over my projects and see where AI might be relevant.
I am most fascinated by this statement: "AI helps analyze JavaScript, identify API endpoints, and reverse-engineer request payloads."
Can you provide a more detailed case where you've done this? At the moment I'm imagining somehow feeding network logs and compressed/ofuscated javascript to some LLM and somehow it figuring things out. But maybe that's not how it works? How would you use AI in the website reverse engineering process?
For me it's all manual, and I actually enjoy the process manually. I love living in the preformance flame graphs and debugger in devtools, plus building xhr requests deobfuscating sections of javascript that seem relevant, following evals through, etc. I feel a bit fearful of a tool taking that "fun" away, but having tools (custom or otherwise) that could help could definitely help me make money, so it's a balance I think. At the same time, if there was a record and replay style software (preferably open source) that somehow utilised AI, that would be fascinating to study and use for more scaled up projects for where "fun" wears out quickly.
The goal of using AI is not to use it just because, but rather use it to optimize your work.
If you like the manual process that is good, try only to apply AI where you know you need it.
My mantra is AI should be my sidekick, do the stuff I do not want to do. If you do not want to use it in the reconnaissance phase, try to use it in change detection or data validation
I relate to a lot of what you said. I also enjoy the manual process: digging through flame graphs, deobfuscating JS, replaying XHRs, etc. It’s like digital archaeology.
That said, AI can actually enhance that process, not take away the fun. For example, I recently worked on a booking site where the frontend JS dynamically generated endpoints and payloads. Nothing was exposed statically, and the JS was heavily obfuscated.
Here’s where AI helped:
• I used a proxy to capture HAR logs and JS bundles.
• Then fed tricky JS functions to an LLM to get a quick summary of what they were doing.
• I also used AI to identify patterns in the request payloads and help generate variations to replay them properly.
It didn’t replace me — it just sped up the boring parts so I could focus on the interesting ones.
You also mentioned the idea of record/replay tools with AI. That’s actually where things are heading. Combining tools like Playwright or mitmproxy with LLMs opens up some exciting use cases — auto-annotating network flows, summarizing JS logic, etc. Nothing fully open source and plug-and-play yet, but there’s a lot of potential.
Interesting article. I'm going to have to look over my projects and see where AI might be relevant.
I am most fascinated by this statement: "AI helps analyze JavaScript, identify API endpoints, and reverse-engineer request payloads."
Can you provide a more detailed case where you've done this? At the moment I'm imagining somehow feeding network logs and compressed/ofuscated javascript to some LLM and somehow it figuring things out. But maybe that's not how it works? How would you use AI in the website reverse engineering process?
For me it's all manual, and I actually enjoy the process manually. I love living in the preformance flame graphs and debugger in devtools, plus building xhr requests deobfuscating sections of javascript that seem relevant, following evals through, etc. I feel a bit fearful of a tool taking that "fun" away, but having tools (custom or otherwise) that could help could definitely help me make money, so it's a balance I think. At the same time, if there was a record and replay style software (preferably open source) that somehow utilised AI, that would be fascinating to study and use for more scaled up projects for where "fun" wears out quickly.
The goal of using AI is not to use it just because, but rather use it to optimize your work.
If you like the manual process that is good, try only to apply AI where you know you need it.
My mantra is AI should be my sidekick, do the stuff I do not want to do. If you do not want to use it in the reconnaissance phase, try to use it in change detection or data validation
Good point.
Great comment!
I relate to a lot of what you said. I also enjoy the manual process: digging through flame graphs, deobfuscating JS, replaying XHRs, etc. It’s like digital archaeology.
That said, AI can actually enhance that process, not take away the fun. For example, I recently worked on a booking site where the frontend JS dynamically generated endpoints and payloads. Nothing was exposed statically, and the JS was heavily obfuscated.
Here’s where AI helped:
• I used a proxy to capture HAR logs and JS bundles.
• Then fed tricky JS functions to an LLM to get a quick summary of what they were doing.
• I also used AI to identify patterns in the request payloads and help generate variations to replay them properly.
It didn’t replace me — it just sped up the boring parts so I could focus on the interesting ones.
You also mentioned the idea of record/replay tools with AI. That’s actually where things are heading. Combining tools like Playwright or mitmproxy with LLMs opens up some exciting use cases — auto-annotating network flows, summarizing JS logic, etc. Nothing fully open source and plug-and-play yet, but there’s a lot of potential.
Thanks for sharing. This seems really exciting.