About
This training is designed for penetration testers, security researchers, application analysts, and any professional who wants to master the art of web application reverse engineering through hands-on work. By the end of the session, you'll have a deep understanding of how to decompose unknown web applications, being able to identify anchor points for security assessments, map architectures and control flows, detect infrastructure patterns, validate exploits using internal application details, and build technical documentation that accelerates the exploitation process.
Full Agenda
Welcome and Workshop Framing
Overview of goals and structure of workshop
Why reverse engineering in general matters and when you might want to do it
What reverse engineering really means in the context of the web (logical decomposition, mental modeling, and evidence based validation)
Strategy - Why Decomposition works
Mapping unknowns through observation such as deductive and inductive reasoning
Explanation of each kind of reasoning
How to use it when facing a web application
How reverse engineering can identify anchor points for assessment such as boundaries, control flow, and likely areas of problems
Explain how it can help
Examples
Boundaries: Where control or data enters/leaves (e.g., input forms, API endpoints)
Control Flow: Where logic decisions are made (e.g., auth checks, parameter handling)
Problematic Areas: Features that handle user input, serialization, or interact with file systems
Using internal or self referencing details to validate blind attacks
Application Decomposition Tasks
Spotting architectural patterns in engineering
Explain how design influences the way we exploit vulnerabilities
URL Semantics: using URLs to shape dataflow, infer routes and logic, and logical functional areas
Single page applications and how to identify functionality quickly
JavaScript, and quick ways to infer function via AI
Infrastructure Decomposition
Tracking the outside perimeter of an application space (how to infer the edge)
Subdomain enumeration + SSL cert transparency logs help define "what belongs."
Tracking JS/CSS includes, image CDNs can reveal domain ownership.
Platform detection and middleware clues
Headers
Tools
Specific routes
Errors
Building internal documentation to assist with exploitation
Patterns commonly used in caching, scale, proxies -- and how to review them to see how infrastructure is composed
Behavioral
Hands-on-Lab: Reverse the Unknown
Using a provided lab, participants will apply the lessons above to:
Map an application structure to areas of exploitation
Use details hidden in the app to validate an exploit
Identify security relevant content
Debrief
Discuss the types of findings and review participating analysis
Requirements
Bring your own device
Trainers
Andrew Wilson
Andrew is a cybersecurity executive and Board Advisor at Common Ground Security with extensive experience in offensive security and AI research. As co-founder of CactusCon, he has built security communities for over 14 years. Previously, he served as VP at Avertium, successfully launched a SOC in Guadalajara. Andrew also served as Adjunct Faculty at Universidad de Guadalajara, where he designed and launched a diploma program in offensive web security, and held leadership positions at Bishop Fox managing LATAM operations.
Abraham De León Gutiérrez
Abraham is a Penetration Tester at Common Ground Security specializing in web application and mobile security testing. He previously worked in Cloud Security at Baxter International Inc. His expertise spans application security, mobile pentesting, and cloud security.