Skip to main content

Samuel
Mortenson

An illustration of a man standing.

You can call me Sam. I live in Portland, Oregon and spend a lot of time on the internet. I like web development, security research, and games. I did Drupal for a long time, but am trying my hand at security engineering now.

Blog

The latest from my mind to yours

Promoting jQuery JSON to JSONP to trigger XSS

I’ve done quite a bit of security research for Drupal, and one area of exploitation that I often come back to is the AJAX API. Drupal’s AJAX API is built on top of jQuery, and lets developers easily add interactive behavior to the frontend.

Drupal services private file access bypass via IDOR

There’s a feature in Drupal that not a lot of people know about, but is a great target for security research - private files. Private files allow you to upload files to a non-public directory on your server, then serve them through Drupal instead of through your HTTP server.

Making a multiplayer game with Go and gRPC

Recently I’ve started to pick up a new programming language, Go, but have struggled to absorb lessons from presentations and tutorials into practical knowledge. My preferred learning method is always to work on a real project, even if it means the finished work has loads of flaws.

More posts

Work

Featured
All work