Home | Samuel Mortenson

You can call me Sam. I live in Portland, Oregon and spend a lot of time on the internet. I like web development, security research, and games. I did Drupal for a long time, but am trying my hand at security engineering now.

Blog

The latest from my mind to yours

Drupal security testing for everyone

I've just published a new project for performing static application security testing (SAST) on Drupal sites, mortenson/psalm-plugin-drupal.

Promoting jQuery JSON to JSONP to trigger XSS

I’ve done quite a bit of security research for Drupal, and one area of exploitation that I often come back to is the AJAX API. Drupal’s AJAX API is built on top of jQuery, and lets developers easily add interactive behavior to the frontend.

Drupal Services SQL injection - don't trust abstractions

Drupal doesn’t have many SQL injection vulnerabilities anymore, at least not since the original Drupalgeddon was released into the wild. So what makes Drupal so safe? Abstractions of course!

Drupal services private file access bypass via IDOR

There’s a feature in Drupal that not a lot of people know about, but is a great target for security research - private files. Private files allow you to upload files to a non-public directory on your server, then serve them through Drupal instead of through your HTTP server.

Work

Featured

Tome

A static site generator for Drupal

As I started to use static site generators like Jekyll and Gatsby, I started to wonder why Drupal couldn't also be used as a static site generator. After a ton of work, more than any on any Drupal module I've made, I created Tome, a static site generator for Drupal 8 that stored content, config, files, and HTML statically.

All work

Gallery

A small CRT TV and a variety of retro consoles.

Samuel
Mortenson