Drew Kirkpatrick

Senior Security Consultant

Experience

Drew has 20 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a Security Researcher at NopSec and Secure Decisions as well as a Senior Computer Scientist for the U.S. Navy.

Education & Certifications

OSCP, GWAPT

M.S. Computer Science – Florida Institute of Technology

M.S. Computer Information Systems – Florida Institute of Technology

B.A. Psychology/Economics – St. Mary’s College of Maryland

Professional Affiliations

OWASP, TOOOL

Industry Contributions

Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector and various machine learning and penetration testing tool projects.

Passion for Security

Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.

Recent Blog Posts

Simple Data Exfiltration Through XSS

By Drew Kirkpatrick
In Application Security Assessment, Penetration Testing, Purple Team Adversarial Detection & Countermeasures, Red Team Adversarial Attack Simulation, Remediation Assistance & Training, Security Testing & Analysis, Social Engineering
During a recent engagement, I found a cross-site scripting (XSS) vulnerability in a legal document management application and created a quick and dirty document exfiltration payload. Unfortunately, this discovery and coding happened on the final day of the engagement (*cough* reporting bonus hacking day), and I didn’t have a chance to actually put the exfiltrated...
Read

Setting the ‘Referer’ Header Using JavaScript

By Drew Kirkpatrick
In Application Security Assessment, Mobile Security Assessment, Penetration Testing, Research, Security Testing & Analysis
Or, “I’m Sorry, You Said You’re from Where Again?” In a prior webinar on creating weaponized Cross-Site Scripting (XSS) payloads, I mentioned that XSS payloads (written in JavaScript) could not change the HTTP Referer header. Malicious requests made through an XSS payload will often have an unexpected Referer header that does not generally make sense...
Read

PentesterLab Pro Giveaway

By Drew Kirkpatrick
In Penetration Testing, Security Testing & Analysis
We are excited to announce that we will be giving away 200 one-month subscriptions to PentesterLab Pro. During these challenging times, we hope that you will be able to use this learning resource to improve your web application testing skills. PentesterLab Pro is a leading industry tool designed to make learning web hacking easier. Using hands-on...
Read
View all posts from Drew

Recent Webinars

Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit

This webinar was recorded on Wednesday, December 18, 2019. XSS? What’s the big deal? Cross-Site Scripting (XSS) vulnerabilities are a longstanding issue that allow malicious actors to inject JavaScript into a web application. Penetration testers typically use a simple JavaScript...
Watch
View all webinars from Drew

Recent Podcasts

TrustedSec Security Podcasts

See the World They Said

July 26, 2021
Drew Kirkpatrick

Want to work with Drew Kirkpatrick or someone like him?

The TrustedSec team is comprised of experienced and qualified security professionals. Contact us to learn more about our services, our team, and how we can help you.
Contact Us