I'm a security consultant for NCC Group. My resume.
I'm interested in security, hardware, math, and making and breaking things.
Find me: Github, Twitter, or email 'me' at tannerprynn dot com.


Web Application Security Testing Methodology

A comprehensive, modern, and opinionated methodology for web application security assessments.

Cross-Protocol Request Forgery

Attacking custom TCP protocols using modified cross-site request forgery (CSRF) and server-side request forgery (SSRF) techniques.

CORS Research

Systematically evaluating browsers' implementations of the CORS standard.

Elliptic Curve Cryptography

I taught myself about ECC from an algebraic perspective, and implemented ECDHE in ruby. Check out my report or the cool poster.

IoT Security Research

Worked with a team at NCC Group owning a bunch of Internet of Things devices.


flowers.pde: A generative art project that spawns a multitude of flowers.
communities.pde: A signal passing automaton.
life3d.pde: A 3-dimensional implementation of the Game of Life.
camboard.pde: An audio visualizer which dynamically colors webcam input.

blog posts

Code Patterns for API Authorization: Designing for Security

The School of Frida Witchcraft: Java Spellcasting Errata

Advanced Frida Witchcraft: Turning an Android Application into a Voodoo Doll

A Novel CSP Bypass Using data: URI

Appleā€™s App-Site Association - The New robots.txt



  • NCC Group - Principal Security Consultant (August 2015 - now)
  • CSRF in the Modern Age: Sidestepping the CORS Standard (Toorcon 2016) [Slides]
  • Matasano Security Intern (May 2014 - August 2014)
  • computer science

  • GEOCAM - Topology & graphics in Java using JReality
  • Project Euler (using C and Java)
  • Networking (Proxy, Router)
  • math

  • Elliptic Curve Cryptography: I wrote a report about ECC and implementing Curve25519.
  • GEOCAM undergraduate research assistant (January 2013 - August 2013)
  • Statistics (using R)
  • Interests: Cryptography