I’m a security researcher and application security engineer focused on vulnerability research, web security, and building tools to make application security easier. I founded the OWASP Indianapolis Chapter in 2005 and curate appsec.fyi, a collection of application security resources.
I’ve worked at Microsoft, Proofpoint, Salesforce, Teradata, and Anthem, and I’ve spoken at DerbyCon and CircleCityCon on topics like extending Burp Suite and Ruby security.
Recent Posts
Python SSRF Prevention: Complete Developer Guide with Code Examples [2026]
I’ve been hunting SSRF bugs in Python applications for over five years, and the number of vulnerable codebases I encounter is honestly terrifying. Flask apps with requests.get(user_input) scattered everywhere. Django views that blindly fetch URLs from form data. FastAPI endpoints that turn your server into an attacker’s proxy. The worst part? Most developers don’t realize they’re building SSRF vulnerabilities until it’s too late. By then, attackers have already stolen your AWS credentials or mapped your entire internal network.
CSRF vs SSRF: Complete Developer Guide to Web Security [2026]
CSRF and SSRF sound like they’re related - they both have “request forgery” in the name, after all. But they’re completely different beasts that’ll bite you in completely different ways. I’ve spent way too many nights debugging both of these vulnerabilities, and the confusion between them has cost teams serious security incidents. Let me break down exactly what each one does and how to stop them before they wreck your app.
AppSec.fyi Hits 2,200+ Resources: What's New
Back in January I wrote about the launch of AppSec.fyi, the curated application security resource library I built and maintain. Three months later, I’ve added enough to warrant an update. What started as a clean list of links organized by vulnerability class has turned into something closer to a full reference platform. By the Numbers The resource count has crossed 2,241 items spread across 24 distinct categories. That’s a significant jump from the handful of core vulnerability classes I launched with. The original categories — XSS, SQLi, SSRF, IDOR, XXE, RCE, CSRF — are still there, but I’ve expanded into areas that reflect where application security is actually headed.
MCP Tool Poisoning: The Attack Surface Nobody's Talking About
I run about a dozen MCP servers in my daily workflow. Playwright for browser automation, Raindrop for bookmarks, Todoist for tasks, a couple of custom ones. Every time I start a Claude Code session, my agent loads all of their tool descriptions into context and uses them to decide what to call. Last month I started thinking about what would happen if one of those tool descriptions was lying to me.
csp-toolkit: Analyzing Content Security Policy Headers at Scale
There’s no Python library for parsing Content Security Policy headers. I checked PyPI, I checked GitHub — nothing. Google has a CSP Evaluator web tool and an npm package, but if you want to analyze CSP programmatically in Python — for recon scripts, bug bounty automation, or CI pipelines — you’re on your own. So I built one. csp-toolkit is a Python library and CLI tool that parses CSP headers, runs 21 weakness checks, finds bypass vectors against a database of 79 known-exploitable domains, scores policies A+ to F, and does a lot more. The current release is v0.6.2 on PyPI (changelog).