I've been experimenting with a CDP-based technique for tracing the origin of JavaScript values inside modern, framework-heavy SPAs.

The method, called Breakpoint-Driven Heap Search (BDHS), performs step-out-based debugger pauses, captures a heap snapshot at each pause, and searches each snapshot for a target value (object, string, primitive, nested structure, or similarity signature).
It identifies the user-land function where the value first appears, avoiding framework and vendor noise via heuristics.

Alongside BDHS, I also implemented a Live Object Search that inspects the live heap (not just snapshots), matches objects by regex or structure, and allows runtime patching of matched objects.
This is useful for analyzing bot-detection logic, state machines, tainted values, or any internal object that never surfaces in the global scope.

Potential use cases: SPA reverse engineering, DOM XSS investigations, taint analysis, anti-bot logic tracing, debugging minified/obfuscated flows, and correlating network payloads with memory structures.