Thomas Stacey

Thomas is an Application Security Auditor with Outpost24. He is a highly skilled penetration tester and security researcher with expertise in web application testing with over five years of experience. He is a Burp Suite practitioner, a full-time Lego enthusiast, and loves to share his knowledge with others.

Using HTTP request smuggling to hijack a user’s session – exploit walkthrough

Application Security 06 Sep 2023

During a recent customer engagement, I came across an instance of a rather rare vulnerability class called HTTP request smuggling. Over the course of several grueling days of exploit development, I was eventually able to abuse this vulnerability to trigger…

Account takeover vulnerability in Azure’s API Management Developer Portal

Application Security 08 Mar 2023

How an Account Takeover vulnerability, discovered during a routine customer engagement, became a candidate for responsible disclosure, via the Microsoft Security Research Center Researcher Portal. In December 2022, when testing a customer’s instance of the Azure API Management (APIM) Developer…