Reverse Engineering Websites

In the ideal world, every engagement would grant you source code access and a copy of the application/environment. Having 100% visibility into the static and dynamic environment of an application is incredibly powerful. By its nature, it eliminates the need for guessing and will make attacks significantly more informed and reliable. Simply put, a better job can be done because this is a position of advantage. In all situations less than that ideal, we can use reverse engineering to get into that position. This talk outlines the concepts, strategies, and specific methods I have used to learn the inner workings websites for exploitation. We will specifically cover: *pattern matching to quickly identify technologies *deductive and inductive reasoning as ways to dial in our understanding *how to ask informed questions to prove out those assertions *walk through of how code structures look, and what the rendered website will show *demonstration of decomposition techniques Andrew has spent the past two decades working with technology. The first half of his career was as a professional software engineer with an emphasis on agile, cloud, and secure development. The second half of his career was as a penetration tester with specialization in application security and training. Andrew has performed hundreds of penetration tests throughout the last decade and led even more. Andrew is a co-founder and ex-main organizer of CactusCon, an ex-Microsoft MVP, the lead of the Sen Security project, and the Vice President of security consulting services for Bishop Fox.