whatisgithub

What is perimeterx_re?

warterbili/perimeterx_re — explained in plain English

Analysis updated 2026-05-18

21JavaScriptAudience · researcherComplexity · 5/5LicenseSetup · hard

In one sentence

A reverse engineering study documenting how PerimeterX's anti-bot SDK generates its verification tokens, with a pure Node.js reimplementation and production test results.

Mindmap

mindmap
  root((PerimeterX_RE))
    What it does
      Token generation research
      Pure Node.js reconstruction
      Production test results
    Tech stack
      JavaScript
      Node.js
      WebAssembly
    Use cases
      Study anti-bot token generation
      Security research on SDK internals
      AI-assisted analysis playbooks
    Audience
      Security researchers
      Reverse engineers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study how anti-bot detection SDKs generate browser fingerprint tokens

USE CASE 2

Learn a documented methodology for reverse engineering obfuscated JavaScript

USE CASE 3

Reference production-verified test results against real anti-bot protected APIs

USE CASE 4

Use the included AI playbooks and command-line tools with Claude Code for security research

What is it built with?

JavaScriptNode.jsWebAssembly

How does it compare?

warterbili/perimeterx_reamazingsyp/pokemon-ontologybinglehaepi/workingtable
Stars212121
LanguageJavaScriptJavaScriptJavaScript
Setup difficultyhardeasyeasy
Complexity5/53/51/5
Audienceresearcherresearchergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Requires deep familiarity with obfuscated JavaScript and cryptographic primitives to follow or extend the research.

Dual licensed under AGPL-3.0 and CC BY-NC-SA 4.0, with restrictions on commercial use and a requirement to share modifications.

So what is it?

This repository is a reverse engineering study of the PerimeterX SDK, an anti-bot and fraud detection product now operated by HUMAN Security. PerimeterX is widely deployed on e-commerce and food delivery platforms, when you visit a site that uses it, the SDK runs JavaScript in your browser that collects signals about your device and behavior, then generates tokens (called _px3 and _px2) that the site's backend checks before allowing requests to proceed. The study documents how those tokens are constructed so they can be generated algorithmically without a browser. The technical approach is pure-algorithm reconstruction: the project recreates the token generation logic in plain Node.js, with no browser, no headless Chrome, no Selenium. It identifies nine core cryptographic and encoding primitives shared across SDK versions and five additional primitives specific to the "bundle" delivery path. The end-to-end generation time is approximately 500 milliseconds. Production-verified results are shown against iFood (a Brazilian food delivery service) and Grubhub (a US food delivery service), with 10 out of 10 requests returning HTTP 200 from live production APIs in the most recent test run. The documentation is substantial: over 20,000 lines covering the SDK's two-path architecture (a lightweight collector path for most traffic and a heavier bundle path for flagged sessions), a 10-chapter methodology section describing the 7-stage reverse engineering workflow, 68 production gotchas that each cost at least an hour of debugging, mouse-track data samples, WebAssembly proof-of-work solutions, and a section on SDK upgrade triage for tracking drift across versions. The study spans three years of longitudinal observation. The repository also includes an AI skill with 9 playbooks and 14 command-line tools designed for integration with Claude Code and similar AI assistants. A browser userscript and a Plan B "env-patching" fallback path for cases where pure-algorithm generation is insufficient are also provided. The project is dual-licensed under AGPL-3.0 and CC BY-NC-SA 4.0 and includes an ethics and responsible disclosure section.

Copy-paste prompts

Prompt 1
Explain the two-path architecture this project describes for anti-bot SDK token generation
Prompt 2
Walk me through the 7-stage reverse engineering methodology documented in this repository
Prompt 3
Summarize the production gotchas this project lists when reconstructing obfuscated token logic
Prompt 4
Help me understand the ethics and responsible disclosure section of this security research project

Frequently asked questions

What is perimeterx_re?

A reverse engineering study documenting how PerimeterX's anti-bot SDK generates its verification tokens, with a pure Node.js reimplementation and production test results.

What language is perimeterx_re written in?

Mainly JavaScript. The stack also includes JavaScript, Node.js, WebAssembly.

What license does perimeterx_re use?

Dual licensed under AGPL-3.0 and CC BY-NC-SA 4.0, with restrictions on commercial use and a requirement to share modifications.

How hard is perimeterx_re to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is perimeterx_re for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.