Reverse engineering has always meant heavyweight tools, complex installations, and serious privacy concerns. What if you could disassemble binaries, analyze malware, and explore firmware directly in your browser without sending a single byte to a server? Enter RzWeb – a complete browser-based reverse engineering platform that runs the full power of Rizin through WebAssembly, transforming your browser into a privacy-first analysis powerhouse.
This breakthrough tool eliminates setup friction, works entirely offline after first load, and gives security researchers instant access to professional-grade static analysis. In this deep dive, you'll discover how RzWeb works under the hood, master its terminal commands, explore real-world use cases, and learn why this might be the most disruptive security tool of 2024.
What Is RzWeb?
RzWeb is a cutting-edge, open-source reverse engineering platform that brings the entire Rizin framework into your web browser through the magic of WebAssembly (WASM). Created by security researcher IndAlok, this tool fundamentally reimagines how we approach binary analysis by eliminating the traditional barriers of installation, configuration, and data privacy.
At its core, RzWeb is a sophisticated React application that loads a WASM-compiled version of Rizin, the powerful open-source reverse engineering framework forked from radare2. The moment you drop a binary onto the interface, RzWeb spawns a complete Rizin instance inside your browser's memory sandbox. Every disassembly operation, string extraction, and control flow graph generation happens locally on your machine – your files never traverse the network.
The timing couldn't be better. As organizations lock down workstations with strict installation policies and security researchers demand greater privacy, browser-based tools have emerged as the next frontier. WebAssembly has matured into a performance powerhouse, capable of running complex C/C++ codebases like Rizin at near-native speeds. RzWeb capitalizes on this convergence, offering a zero-trust analysis environment where you maintain complete control of your data.
What makes RzWeb genuinely revolutionary is its stateless architecture. Each Rizin command executes as a fresh WASM invocation, ensuring isolation between operations while enabling powerful command chaining. The companion rzwasi repository houses the Emscripten-compiled Rizin core, meticulously optimized for browser execution. This separation allows RzWeb to stay lightweight while the heavy lifting happens in the WASM module.
Key Features That Set RzWeb Apart
Full-Fledged Terminal Access
The integrated terminal, powered by xterm.js, delivers a complete Rizin CLI experience. This isn't a limited command wrapper – it's the actual Rizin interface. Execute pdf to disassemble functions, afl to list all detected functions, px for hex dumps, or chain complex sequences with semicolons. The terminal supports command history, autocomplete, and real-time output rendering, making it feel indistinguishable from a native installation.
Syntax-Highlighted Disassembly Engine
RzWeb's disassembly view goes beyond basic assembly display. It features intelligent syntax highlighting for opcodes, registers, and immediate values. Click any address to navigate instantly – the view updates dynamically, showing cross-references and maintaining your analysis context. The highlighting engine understands multiple architectures, from x86_64 to ARM64, making complex code patterns visually digestible.
Interactive Control Flow Graphs
Visual analysis becomes effortless with automatically generated CFGs. Each function's control flow graph renders as an interactive SVG, showing basic blocks, conditional jumps, and loop structures. Hover over blocks to preview disassembly, click to navigate, and export graphs for documentation. This visual approach helps identify complex program logic that text disassembly might obscure.
Real-Time Hex Dump Inspector
The hex view synchronizes with your navigation. Jump to any offset via the terminal or disassembly view, and the hex dump updates instantly. It supports multiple display formats – hex, decimal, octal – and includes ASCII representation. The inspector highlights selected bytes and shows data interpretations (dwords, qwords, floats) on demand.
Automated String Extraction
RzWeb automatically extracts all printable strings from loaded binaries, filtering by minimum length and encoding type. This reveals hardcoded URLs, error messages, encryption keys, and configuration data. The strings view is searchable and clickable – selecting a string jumps you to its location in the binary.
Privacy-First Architecture
Zero data transmission defines RzWeb's philosophy. The entire analysis pipeline – from file loading to final report – executes within your browser's security sandbox. The WASM module runs in a dedicated memory space, and even the companion rzwasi module can be cached for offline use. This makes RzWeb ideal for analyzing sensitive malware samples or proprietary firmware on air-gapped systems.
Universal Binary Format Support
RzWeb inherits Rizin's extensive format support: ELF (Linux executables and shared libraries), PE/PE+ (Windows executables and DLLs), Mach-O (macOS and iOS binaries), and Raw firmware dumps. It handles 32-bit and 64-bit variants across x86, ARM, MIPS, PowerPC, and dozens of other architectures.
Real-World Use Cases Where RzWeb Dominates
Corporate Security Analysis On Locked-Down Machines
Enterprise environments often prohibit installing security tools on workstations. RzWeb bypasses this entirely – open Chrome, load the live deployment, and analyze suspicious email attachments or insider threat binaries without violating IT policy. The browser-based approach means no installation packages, no registry changes, and no evidence left behind after closing the tab.
Rapid Malware Triage During Incident Response
When a new malware sample hits your SOC, speed matters. Instead of spinning up a sandbox VM, simply drag the binary into RzWeb. Run aaa for deep analysis, afl to see function count, and izz to extract strings. Within seconds, you can identify C2 servers, persistence mechanisms, and encryption routines – all from your primary workstation without risking contamination.
Educational Workshops And Capture The Flag Events
Setting up reverse engineering labs for students is notoriously painful. RzWeb eliminates this friction entirely. Share a URL, and every student has an identical environment. In CTF competitions, participants can analyze binaries on any device – even tablets or Chromebooks. The consistent interface reduces support overhead and lets educators focus on teaching concepts rather than debugging installations.
IoT Firmware Analysis In The Field
Embedded security researchers often work with limited connectivity. RzWeb's offline capability shines here – cache the WASM module once, then analyze firmware dumps from IoT devices anywhere. The raw format support handles unconventional binaries that standard tools reject. Identify hardcoded credentials, backdoor accounts, and vulnerable services directly from your laptop in the field.
Cross-Platform Collaboration Between Teams
Mixed OS environments (Linux analysts, Windows developers, macOS managers) create toolchain fragmentation. RzWeb unifies everyone on a single platform – the browser. Share analysis sessions by exporting terminal logs or CFG screenshots. Team members can replicate findings instantly without worrying about OS-specific Rizin builds or dependency hell.
Step-By-Step Installation & Setup Guide
Prerequisites
RzWeb requires Node.js 18+ and npm for local development. The live deployment needs only a modern browser supporting WebAssembly (Chrome 75+, Firefox 67+, Safari 14+).
Local Development Setup
# Clone the repository from GitHub
git clone https://github.com/IndAlok/rzweb
cd rzweb
# Install dependencies
npm install
# Start the development server
npm run dev
The development server launches on http://localhost:3000 with hot-reloading enabled. The first load fetches the rzwasi WASM module (~15MB) – subsequent loads use browser cache.
Production Build
# Create an optimized production build
npm run build
# Serve the static files
npm run preview
Architecture Deep Dive
The frontend stack combines React 18 with TypeScript for type safety, Tailwind CSS for rapid UI development, and Zustand for lightweight state management. The terminal interface leverages xterm.js, the same library powering VS Code's integrated terminal.
The critical component is the WASM bridge. The rzwasi repository contains Rizin compiled via Emscripten with specific flags:
# Emscripten compilation flags (from rzwasi)
-s WASM=1
-s ALLOW_MEMORY_GROWTH=1
-s MODULARIZE=1
-s EXPORT_NAME='RizinModule'
These flags enable dynamic memory allocation for large binaries and create a JavaScript wrapper for seamless browser integration. The WASM module exposes Rizin's C API through JavaScript bindings, allowing RzWeb to pipe commands and retrieve output synchronously.
Offline Configuration
For air-gapped use, pre-download the WASM module:
# Download rzwasi release
wget https://github.com/IndAlok/rzwasi/releases/latest/download/rzwasi.wasm
wget https://github.com/IndAlok/rzwasi/releases/latest/download/rzwasi.js
# Place in public/ directory
mkdir -p public/wasm
cp rzwasi.* public/wasm/
# Update import path in src/worker/rizin.ts
Real Code Examples From The Repository
Installation Commands
The README provides the exact setup sequence:
# Clone and enter the project directory
git clone https://github.com/IndAlok/rzweb
cd rzweb
# Install Node.js dependencies
npm install
# Launch development environment
npm run dev
These commands establish the complete development environment. The npm install step pulls approximately 200MB of dependencies, including React, TypeScript compiler, and build tools. npm run dev invokes Vite's development server, which provides instant hot module replacement for rapid iteration.
Core Rizin Command Patterns
RzWeb supports the full Rizin command set. Here are essential patterns from the documentation:
# Disassemble the current function
pdf
# List all functions
afl
# Hex dump at current offset
px
# Chain commands to navigate and disassemble main
s main;pdf
Command Breakdown:
pdf(Print Disassembly Function) analyzes the current function, showing assembly instructions with addressesafl(Analyze Functions List) displays all detected functions with their addresses and sizespx(Print Hex) dumps memory in hexadecimal and ASCII formatss main;pdfcombines seek to themainfunction with immediate disassembly
Advanced Analysis Workflow
For comprehensive binary analysis, use this command sequence:
# Perform deep analysis on all functions
aaa
# Seek to interesting string location
s 0x00401234
# Extract strings in the binary
izz
# Generate control flow graph for current function
agf
Implementation Details:
aaaruns iterative analysis: auto-naming functions, detecting strings, and identifying data referencesizzextracts all strings regardless of sections, perfect for finding hidden C2 domainsagf(Analyze Graph Function) outputs Graphviz format for visual rendering
Handling Large Files
When binaries exceed 1MB, auto-analysis disables automatically. Manually trigger analysis:
# For files over 1MB, run analysis manually
aa
# Then proceed with normal commands
afl
pdf @ main
The @ symbol specifies a temporary seek location without changing the current offset – crucial for maintaining context during extensive analysis sessions.
Advanced Usage & Best Practices
Command Chaining Mastery
Since RzWeb runs stateless commands, master semicolon chaining:
# Seek, analyze, and disassemble in one line
s main;af;pdf
# Analyze all, list functions, then disassemble the largest
aaa;afl~[0];?e $$;s `afl~[0]:1`;pdf
Performance Optimization
- Cache the WASM module: After first load, the browser caches rzwasi.wasm. Enable Service Workers for true offline capability
- Incremental analysis: For massive binaries, use
aainstead ofaaato avoid timeout - Selective loading: Analyze specific functions with
af @ 0x401000rather than whole binary
Privacy Hardening
- Run RzWeb in a private browsing window to prevent cache persistence
- Use browser developer tools to monitor network – verify zero data transmission
- For ultra-sensitive samples, deploy locally and disconnect from network after WASM load
Extending RzWeb
The modular architecture invites customization:
// Add custom commands in src/lib/rizin-adapter.ts
export const customAnalysis = async (file: Uint8Array) => {
await loadBinary(file);
// Your custom analysis pipeline
await rizin.exec('aaa');
const functions = await rizin.exec('afl');
return parseFunctions(functions);
};
Comparison With Alternatives
| Feature | RzWeb | Ghidra | IDA Pro | Cutter | Binary Ninja |
|---|---|---|---|---|---|
| Platform | Browser (Any OS) | Desktop (Win/Linux/macOS) | Desktop (Win/Linux/macOS) | Desktop (Win/Linux/macOS) | Desktop (Win/Linux/macOS) |
| Installation | None required | Heavy (JDK + 500MB) | Complex (license + 2GB) | Moderate (200MB) | Moderate (300MB) |
| Privacy | 100% local | Local | Local | Local | Local |
| Price | Free (Open Source) | Free | $1975+ | Free | $299+ |
| Analysis Speed | Moderate (WASM) | Fast (Native) | Very Fast (Native) | Fast (Native) | Fast (Native) |
| Debugger | No (browser limitation) | Yes | Yes | Yes | Yes |
| Collaboration | Share URLs | Project sharing | Limited | Limited | Cloud option |
| Learning Curve | Low (familiar CLI) | Steep | Moderate | Low | Moderate |
Why Choose RzWeb?
Accessibility is RzWeb's killer feature. Security consultants can analyze binaries on client machines without installation rights. Students learn reverse engineering on school Chromebooks. Incident responders triage samples from any device during travel.
Privacy reaches new heights – not even temporary files touch disk. Everything resides in memory, purged when the tab closes. For organizations with strict data handling policies, this is a game-changer.
Zero Configuration means no dependency hell, no version conflicts, no "works on my machine" problems. The live deployment at https://rzweb.app (example) provides instant access to the latest stable version.
Frequently Asked Questions
Is RzWeb truly private? Do my files get uploaded?
Absolutely private. RzWeb uses the File API to read binaries directly into browser memory. The WASM module processes data locally – no network requests contain your binary. Verify this by opening browser DevTools Network tab; you'll see only the initial WASM fetch, never your file data.
What's the maximum file size RzWeb can handle?
Technically limited by browser memory (typically 2-4GB per tab). Practically, files over 1MB disable auto-analysis to prevent UI freezing. You can manually analyze large files with aa, but expect slower performance due to single-threaded WASM execution.
Can I use RzWeb completely offline?
Yes. After first load, the browser caches the WASM module. For true offline use, clone the repository and run locally with npm run dev. The PWA manifest enables installation as a desktop app with full offline capability.
How does RzWeb compare to running Rizin natively?
Feature parity is 95%+ for static analysis. The main differences: no debugger (browser security limitation), single-threaded performance, and stateless command execution. For pure static analysis, RzWeb matches native Rizin. For dynamic analysis, use native Rizin or Cutter.
What binary formats and architectures work?
RzWeb supports all Rizin formats: ELF, PE/PE+, Mach-O, and raw firmware dumps. Architectures include x86, x86_64, ARM, ARM64, MIPS, PowerPC, AVR, and dozens more. If Rizin supports it, RzWeb supports it.
Why doesn't RzWeb include a debugger?
Browser security models prohibit ptrace and process manipulation. WASM runs in a sandbox without access to host processes. This is a fundamental limitation, not a missing feature. For debugging, pair RzWeb with native tools – use RzWeb for static analysis, then switch to Rizin/Cutter for dynamic debugging.
How do I handle very large binaries that freeze the browser?
Use incremental analysis: load the binary, then run aa (basic analysis) instead of aaa (deep analysis). Target specific functions with af @ address. If the UI becomes unresponsive, close the tab and reopen – the stateless design means you lose nothing but can restart fresh.
Conclusion
RzWeb represents a paradigm shift in reverse engineering tooling. By leveraging WebAssembly's near-native performance and the browser's universal accessibility, IndAlok has created a tool that democratizes binary analysis while maximizing privacy. The stateless architecture, while initially unfamiliar, forces better command hygiene and enables unprecedented portability.
For security professionals, RzWeb is now the fastest path from "suspicious binary" to actionable intelligence. For educators, it removes the setup barrier that prevents many students from learning reverse engineering. For the community, it proves that complex security tools can live in the browser without compromising capability.
The limitations – no debugger, single-threaded performance – are reasonable tradeoffs for the benefits. As WebAssembly gains threading support and browsers evolve, expect these constraints to disappear.
Ready to transform your reverse engineering workflow? Visit the RzWeb GitHub repository to clone, star, and start analyzing binaries in your browser today. The future of reverse engineering is here, and it runs entirely client-side.
