Your Login Page Is Lying: What AI Agents Find When They Read Your Frontend
Praetorian shows how single-page applications leak useful attack surface data because unauthenticated visitors still receive the full JavaScript bundle, including route definitions, API endpoint URLs, auth and token-refresh logic, and frontend data models. The post focuses on using AI-assisted analysis to de-minify and reason over bundled code, then pivot into backend testing by enumerating exposed endpoints, fuzzing predictable identifiers, and identifying authorization flaws such as IDORs and unauthenticated APIs. A concrete case study describes an API Gateway-backed endpoint that returned a 500 error with a stack trace exposing the underlying AWS Lambda hostname; the Lambda URL was directly reachable and did not enforce the gateway’s authentication, creating a backend-auth bypass. The main takeaway is that SPA bundles are a high-value recon source for mapping backend topology, finding hidden services, and uncovering trust assumptions where developers rely on the frontend or gateway layer rather than enforcing auth at each backend service.