Drew Kirkpatrick

Senior Security Consultant

Experience

Drew has 20 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a Security Researcher at NopSec and Secure Decisions as well as a Senior Computer Scientist for the U.S. Navy.

Education & Certifications

OSCP, GWAPT

M.S. Computer Science – Florida Institute of Technology

M.S. Computer Information Systems – Florida Institute of Technology

B.A. Psychology/Economics – St. Mary’s College of Maryland

Professional Affiliations

OWASP, TOOOL

Industry Contributions

Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector and various machine learning and penetration testing tool projects.

Passion for Security

Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.

Recent Blog Posts

Persisting XSS With IFrame Traps

By Drew Kirkpatrick
In Penetration Testing, Red Team Adversarial Attack Simulation, Security Testing & Analysis
XSS Iframe Traps Longer Running XSS Payloads An issue with cross-site scripting (XSS) attacks is that our injected JavaScript might not run for an extended period of time. It may be a reflected XSS vulnerability where we’ve tricked our user into clicking a link, but when they land on the page where we were able...
Read

Persistence Through Service Workers-Part 3: Easy JavaScript Payload Deployment

By Drew Kirkpatrick
In Application Security Assessment, Penetration Testing, Red Team Adversarial Attack Simulation, Security Testing & Analysis
In “Persistence Through Service Workers—PART 2: C2 Setup and Use,” we demonstrated setting up the Shadow Workers C2 server and how to add both the service worker JavaScript and what Shadow Workers calls the “XSS Payload” JavaScript to the target application. In the example, we didn’t load the “XSS Payload” through a cross-site scripting vulnerability....
Read

Persistence Through Service Workers—Part 2: C2 Setup and Use

By Drew Kirkpatrick
In Application Security Assessment, Penetration Testing, Red Team Adversarial Attack Simulation, Security Testing & Analysis
In Part 1 of this 2-part blog, we provided an overview of service workers and created an appropriate target application to exploit using Shadow Workers. In this blog post we’ll build our C2 server in Digital Ocean and use Shadow Workers to exploit the target application. It is highly recommended to read Part 1 prior...
Read
View all posts from Drew

Recent Webinars

Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit

This webinar was recorded on Wednesday, December 18, 2019. XSS? What’s the big deal? Cross-Site Scripting (XSS) vulnerabilities are a longstanding issue that allow malicious actors to inject JavaScript into a web application. Penetration testers typically use a simple JavaScript...
Watch
View all webinars from Drew

Recent Podcasts

TrustedSec Security Podcasts

Report All The Things

May 23, 2022

See the World They Said

May 23, 2022
Drew Kirkpatrick

Want to work with Drew Kirkpatrick or someone like him?

The TrustedSec team is comprised of experienced and qualified security professionals. Contact us to learn more about our services, our team, and how we can help you.
Contact Us