Michael Stepankin

Researcher

Michael Stepankin

Michael 'artsploit' Stepankin is a researcher here at PortSwigger. He joined the team to put his offensive security mindset to the test, uncovering complex vulnerabilities in web applications. He specializes in the Java Enterprise stack, covering a wide range of security topics from insecure deserialization and XXEs, to logical bugs in OAuth systems. He's published a number of works throughout his employment as a researcher, including new ways to exploit JNDI injections, attacks on Apache Solr, and finding hidden Remote Code Executions in the Spring framework.

He spent many years as a penetration tester, channelling his focus primarily on discovering high and critical vulnerability classes. If you were to invite Michael to test the security of your network, he wouldn't bother you with anything about unexploitable SSL ciphers, or a twenty year old jquery plugin. Instead, he'd spend his time smashing his head out to get a shell, or snatching at ntds.dit for you. When he wasn't penetration testing, he participated in a number of bug bounty programs, during which time he infiltrated the production networks of PayPal, Yahoo, and Apple. If he's ever able to be pried away from the computer, Michael enjoys wakeboarding and playing tennis.