Research on Intruder's Blog

While working at Intruder, all of my research is published on their research blog. Here are the projects I’ve worked on:

Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond

This is a research project covering a methodology to determine how headers can be modified to smuggle them through to back-end servers without the front-end processing them. This project was also presented at Black Hat Europe 2021 - you can watch the talk here.

https://www.intruder.io/research/practical-http-header-smuggling

In GUID We Trust

A walk-through of exploiting a password reset functionality that used v1 GUIDs as tokens. This also included the release of a tool for exploiting predictable GUIDs.

https://www.intruder.io/research/in-guid-we-trust

Detecting Server-Side Prototype Pollution

A methodology for identifying and exploiting server-side prototype pollution vulnerabilities in Node.js applications in black-box scenarios.

https://www.intruder.io/research/server-side-prototype-pollution

We Hacked Ourselves With DNS Rebinding

Part 1 of a 2-part series on DNS rebinding attacks, covering how I exploited a DNS rebinding vulnerabilities in Intruder’s own portal to gain AWS access.

https://www.intruder.io/research/we-hacked-ourselves-with-dns-rebinding

Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari

Part 2 of the DNS rebinding series. In this post, I introduce new techniques for achieving reliable, split-second DNS rebinding in Chrome, Edge, and Safari when IPv6 is available, as well as a technique for bypassing the local network restrictions applied to the fetch API in Chromium-based browsers.

https://www.intruder.io/research/split-second-dns-rebinding-in-chrome-and-safari