I’m a security researcher and application security engineer focused on vulnerability research, web security, and building tools to make application security easier. I founded the OWASP Indianapolis Chapter in 2005 and curate appsec.fyi, a collection of application security resources.
I’ve worked at Microsoft, Proofpoint, Salesforce, Teradata, and Anthem, and I’ve spoken at DerbyCon and CircleCityCon on topics like extending Burp Suite and Ruby security.
๐ Enhanced Security Guides with 2026 Intelligence
Just completed: 20 comprehensive security guides enhanced with 180+ critical CVEs from 2026 using automated intelligence processing. The only security resource with real-time vulnerability integration powered by analysis of 10,247+ insights with 95.3% accuracy.
Explore Enhanced Security Guides โ | Updated May 2026
Recent Posts
XSS Prevention Guide - 636 Sources with 2026 CVE Intelligence
Comprehensive XSS Guide ๐ Enhanced May 2, 2026 - Updated with 636 insights including 2026 XSS techniques, context-aware payload exploitation, and framework-specific attack vectors from automated security research analysis. A practitioner’s reference for Cross-Site Scripting โ attack surface, context-aware payloads, filter/WAF/CSP bypass techniques, framework-specific vulnerabilities, real-world chains, and detection/prevention. Compiled from 636 research sources with automated content analysis and deduplication. Table of Contents Fundamentals Attack Surface & Entry Points Context-Aware Payloads Filter Bypass Techniques WAF Bypasses CSP Bypass Techniques Mutation XSS (mXSS) DOM Clobbering & Prototype Pollution Framework-Specific XSS AngularJS Sandbox Escapes postMessage & DOM XSS SVG, PDF & File Upload XSS Blind XSS Weaponized XSS Payloads Polyglots Real-World Exploitation Chains Tools & Automation Detection & Prevention Payload Quick Reference CVE Reference 1. Fundamentals XSS occurs when attacker-controlled input is rendered in a victim’s browser as executable code (JavaScript, or markup that leads to JavaScript execution). The victim’s browser runs the injected code with the origin’s privileges โ same-origin access to cookies, DOM, API tokens, and session state.
Web Security Hub - 2000+ Sources with 2026 CVE Intelligence
Complete Web Vulnerability Prevention Hub Enhanced May 2026 with 2,000+ sources and real-time CVE intelligence - the only security guide collection with automated 2026 threat integration. ๐ฏ Core Web Vulnerabilities Injection Attacks XSS Prevention Guide - 636 sources (+116% expansion) 2026 bypass techniques, modern framework exploits, real-time CVE intelligence SQL Injection Guide - 113 sources (+223% expansion) ORM/NoSQL variants, database-specific exploits, enterprise platform CVEs Command Injection & RCE Guide - 628 sources
SSRF Prevention Guide - 686 Sources with 2026 Attack Vectors
Comprehensive SSRF Guide ๐ Enhanced May 2, 2026 - Updated with AI/MCP risks, CVE-2026-33626 analysis, and modern SSRF exploitation techniques from 686 automated security research sources. A practitioner’s reference for Server-Side Request Forgery โ attack surface, exploitation techniques, bypass methods, real-world chains, and detection/prevention. Compiled from 686 research sources with automated content analysis and deduplication. Table of Contents Fundamentals Attack Surface & Entry Points IP Address Bypass Techniques URL Parsing & Protocol Tricks Cloud Metadata Exploitation Blind SSRF Techniques Protocol Smuggling Framework-Specific SSRF PDF Generator SSRF Real-World Exploitation Chains Tools & Automation MCP / AI Agent SSRF IPv6 & DNS Rebinding Bypass Patterns Detection & Prevention Payload Quick Reference 1. Fundamentals SSRF occurs when an attacker can make a server-side application send HTTP requests to an attacker-chosen destination. The server acts as a proxy, often with elevated network access (internal services, cloud metadata, localhost) and implicit trust (firewall bypass, authentication context).
API Security Hub - 800+ Sources with 2026 Threat Intelligence
Complete API Security Resource Center The only API security guides with real-time 2026 vulnerability integration - comprehensive testing, authentication, and modern attack prevention. ๐ Core API Vulnerability Prevention API Attack Surface Security API Security Guide - 490 sources (+900% expansion) OWASP API Top 10, 2026 GraphQL vulnerabilities, AI/MCP risks, comprehensive testing Rate limiting, authentication bypasses, API gateway hardening GraphQL Security Guide - 78 sources Injection techniques, authorization bypasses, introspection attacks Batching, DoS, subscriptions, engine-specific exploitation Modern API Protocols JWT Security Guide - 138 sources Algorithm confusion attacks, signature bypasses, library-specific exploits Token security, cryptographic attacks, secure implementation ๐ API Authentication & Access Control Authentication Systems Authentication Guide - 97 sources
Comprehensive SQL Injection Guide
Comprehensive SQL Injection Guide ๐ Enhanced May 2, 2026 - Updated with 113 sources and 2026 SQLi techniques including ORM/NoSQL variants, database-specific exploit chains, and enterprise platform CVEs. A practitioner’s reference for SQL Injection โ attack classes, exploitation techniques, database-specific payloads, WAF bypass methods, ORM/NoSQL variants, real-world CVEs, and detection/prevention. Compiled from 113 research sources including latest 2026 enterprise platform vulnerabilities. Table of Contents Fundamentals Attack Classes Entry Points & Injection Contexts DBMS Fingerprinting Authentication Bypass Union-Based Injection Error-Based Injection Boolean Blind Injection Time-Based Blind Injection Out-of-Band (OOB) Injection Second-Order SQL Injection Stacked Queries & Polyglots WAF Bypass Techniques Database-Specific Payloads ORM Injection NoSQL Injection SQLi to RCE Header, Cookie & JSON-Body Injection Constraint-Based Attacks Real-World CVEs Tools & Automation Detection & Prevention Payload Quick Reference 1. Fundamentals SQL Injection (SQLi) occurs when an attacker can influence the SQL statements that an application sends to its database. The vulnerability arises from the unsafe concatenation of untrusted input into a query string, allowing the attacker to break out of the intended data context and execute attacker-controlled SQL. SQLi has sat in the OWASP Top Ten since its inception and remains one of the highest-impact classes of web vulnerability despite decades of awareness.