Robert 'RSnake' Hansen

About Robert "RSnake" Hansen

At a glance:

Robert Hansen, also known as RSnake, is an American computer hacker, executive, and entrepreneur. He was the founder and CEO of SecTheory and was the co-founder of Bit Discovery after which he became the Deputy CTO of Tenable after Bit Discovery was acquired. He has previously worked at eBay, WhiteHat Security (now Synopsis), Realtor.com/Move.com, Cable & Wireless plc America, ValueClick and Silicon Alchemy. He founded the ha.ckers.org web application security lab.

RSnake is most well known for his security research and disclosures such as Slowloris (computer security)Clickjacking, Fierce DNS enumeration tool, XSS filter evasion, DNS RebindingContent Security Policy and Python NaN Injection.

School

From 1995 to 1998 RSnake studied computer engineering at California State University, Chico. At CSU Chico, the computer engineering degree was a hybrid degree mixing computer science and electrical engineering. He left school before attaining the degree.

WebFringe.com

While attending Chico State University, RSnake started webfringe.com, a site that was designed to fix the issues with the second webring on the Internet called “the Fringe of the Web”, which had been started by a hacker calling himself “Bronc Buster”. RSnake built a self-healing top 100 list to keep the few hacking sites on the Internet interconnected. The issue with webrings being that when enough sites go offline the webrings tended to no longer function as a link chain due to too many gaps, whereas top 100 lists only showed sites with actual traffic flowing to them. [2][3]

EHAP

While attending CSU Chico, in June of 1996, RSnake co-founded a nonprofit organization named EHAP (Ethical Hackers Against Pedophilia), which included other hackers such as Genocide2600 [4][5] Tattooman, Silicon Toad, Chalk and more. EHAP purported to be responsible for uncovering the identities of a number of online pedophiles and associated groups. [6][7]

Professional Experience

Silicon Alchemy

Chief Operations Officer

While at Silicon Alchemy where he was the Chief Operations Officer, RSnake worked with Bronc Buster on architectural designs for software called Peekabooty, which was a precursor to Tor (network) and which was designed to evade government censorship. [3]

RSnake also gave his first public speech at the Black Hat Briefings in Las Vegas, NV in 2001 on the hardening of .htaccess files based on his experiences identifying and thwarting automated brute force attacks. [8]


Digital Island/Exodus/Cable & Wireless America

Programmer and later promoted to Product Manager

RSnake joined Digital Island which was merged with Exodus Communication and eventually turned into Cable & Wireless America. He began his career at the company as a programmer and left after being promoted to product manager. While at Cable & Wireless America, RSnake worked with Jeremiah Grossman to create intranet port hacking – a technique by which the browser’s internal access to a network is a conduit for malicious HTML and JavaScript to attack internal resources. [9][10]


eBay

Sr. Global Product Manager of Trust and Safety

RSnake was the Sr. Global Product Manager of Trust and Safety at eBay. During his time there, he invented the idea of Content Security Policy as a means to defeat stored and reflected cross-site scripting. During his tenure at eBay RSnake founded ha.ckers.org, a hacker-centric web application security lab and blog and sla.ckers.org, a forum for web application security experts.


Realtor.com/Move

Director of Product Management

RSnake was the director of product management for Realtor.com/Move Inc in charge of various systems, like mapping. It is where RSnake began blogging on ha.ckers.org, after having left eBay.  He quit to begin his consultancy, SecTheory.


SecTheory

Founder and CEO

RSnake co-founded SecTheory LLC with James Flom in 2006 while RSnake was still at Realtor.com and shortly thereafter moved to Austin, Texas where he continued doing Internet security research while consulting. [36] He began by attacking the authentication system at Acutrust using entropy attacks. [11] The XSS cheatsheet was built to evade filters that might prevent attackers from injecting Cross-Site Scripting. [12]

In 2008 Tom Stracener and RSnake co-presented at the DEF CON security conference in Las Vegas, NV on the topic of “Xploiting Google Gadgets: Gmalware and Beyond”. [23][44] The attack used malicious Google Gadgets to phish users and leak sensitive information. After this talk RSnake joined the Black Hat Briefings speaker review board. [24]

RSnake worked on two DNS-related projects: DNS rebinding research[13] and the Fierce DNS enumeration tool which was capable of using brute force enumeration to identify assets of a target domain in 2009. [14] Adding to the groundswell of intranet port scanning research, RSnake introduced the concept of RFC1918 cache poisoning, which used the browser’s cache and overlapping RFC1918 space to compromise networks that an adversary would not normally have access to. [15][35]

RSnake built a denial of service tool called Slowloris (computer security) which used partially complete HTTP requests in parallel to deny service to Apache websites. Slowloris was used during the 2009 Iranian presidential election protests to take down leadership websites. [16]

Shortly thereafter, RSnake and Jeremiah Grossman co-authored a new exploit class called Clickjacking (also sometimes referred to as Likejacking or UI redressing). The official presentation had to delay details of the exploit due to a request by Adobe to fix the vulnerability in Flash prior to public disclosure. [17][18][37][38][39][40]

RSnake and James Flom co-created Falling Rock Networks, which was a productized version of the ha.ckers.org’s hardware and software stack which heavily utilized Berkeley Software Distribution Chroot jails. [19]

In 2010 and during his time analyzing HTTPS, RSnake and Josh Sokol presented at the Black Hat Briefings a collection of two dozen HTTPS side-channel attacks in a presentation dubbed “HTTPS can Byte Me”. [20] Shortly thereafter, in December 2010, RSnake wrote his 1,000th blog post and officially ended his blogging on ha.ckers.org. [21] In 2012 RSnake, by way of SecTheory, was involved in the DFIR work after Anonymous hacked Stratfor. [22]

While running SecTheory with RSnake, James Flom located a Carnivore (software) device in their network, which ultimately lead RSnake to filing a FOIA request. The CIA gave a Glomar response. [25] On RSnake’s Facebook page, he said that the FBI on the other hand "said that my case file was 469 pages, of which they were going to delete 419 before they even sent it to me. That left 50 pages. Those 50 pages though, were just the boilerplate case file and every single page is 100% redacted."

SecTheory was officially handed over to James Flom in 2013 to run the company after the Subprime mortgage crisis which had a large financial impact on the consulting practice. [3][46]


WhiteHat Security

Vice President of Labs

WhiteHat Security (now Synopsys)
Jeremiah Grossman hired RSnake to be a director of product management at WhiteHat Security. RSnake was quickly promoted to the title of Vice President of Labs, where he helped launch Aviator, which was a short-lived privacy-focused alternative to Google Chrome built on Chromium. [26]

During his tenure at WhiteHat, RSnake issued a warning about Anonymous having been compromised by nation states on VICE Cyberwar. [27] Subsequently, RSnake has explained how he knew that to be true in a conversation with Mike Jones on the H4unt3d Hacker podcast. [25]

RSnake began to collect and compute magic hashes which allow adversaries to utilize collisions to break into web applications when certain types of numerics are used in comparison with existing hashes which collide with the numeric representation of zero. [28]

In 2015 RSnake downloaded the North Korean Red Star OS and ran tests to identify issues with the Nanera browser, which lead to the understanding that the entirety of North Korea is using RFC1918 address space. [29]


Human Health Organization

Chief Information Security Officer

RSnake was the Chief Information Security Officer for the Human Health Organization, and also managed the marketing team, reporting directly to John Cameron, the CEO.


OutsideIntel/Bit Discovery/Tenable (TENB)

CTO and became Deputy CTO of Tenable after acquisition

In 2018 Bit Discovery acquired RSnake’s corporate intelligence platform, OutsideIntel. In 2021, RSnake created a new type of attack called NaN Injection within Python. [30] NaN refers to “Not a Number” which potentially allows an adversary to do many different dangerous things when injected into vulnerable Python code such as privilege escalation, denial of service, incorrect comparison operations, and more. The maintainers of Python via Redhat responded with, “Python is a fully featured programming language, it allows you to write all kinds of programs, including insecure ones.” As such, Python remains vulnerable as there appears to be zero plans to fix NaN Injection, issue an associated CVE or author guidance to developers.

RSnake developed prototype software called Strangelove that was able to reverse engineer and exploit 1-day attacks in .02 seconds, causing a discussion around the efficacy of, by contrast, much slower patch management as a viable defense.

On June 6th, 2022 Bit Discovery was acquired by Tenable Inc. [33][34] RSnake became the Deputy CTO managing the WAS and EASM programs for Tenable, after which he left on his 1 year anniversary.


Civilized Entertainment

Executive Producer

In 2022 RSnake became an executive producer on the film “Lion Spy” featuring Rogue Rubin. [41] He spoke at the Austin Entertainment Business event on AI in Hollywood. He also wrote an AI platform to generate vertical-media scripts called ScriptViper.

In 2022, RSnake created and executive produced a podcast entitled “The RSnake Show” that was purported to be “important conversations with people in the know.”


RSnake LLC

CEO

He wrote the book AI’s Best Friend which documents the intersection of human and AI/AGI hallucinations and the complexity of the alignment problem. In it, the book discusses the parallels between his friend and former business partner James Flom and the tragic murder-suicide stemming from his hallucinations and how that relates closely to hyper-intelligent AGI systems that too hallucinate.

In 2024 RSnake began the new series as part of the show called “Demo Day” where he began to interview vendors who wanted to deliver demos so that consumers wouldn’t have to go through long funnels before they could see if the security products worked for them or not.

Also in 2024 RSnake began the newsletter “RSnake Report” which was a geopolitical, information security, business and technology focused newsletter.


Grossman Ventures

Managing Director

In 2024, RSnake became a Managing Director of Grossman Ventures – an information security focused early-stage VC.

In 2025 he built the site cvedata.com to show inconsistencies in how CVSS scores worked by comparing and contrasting the CVE base scores with EPSS, Vulncheck and CISA KEV.

Controveries

Sla.ckers.org Full Disclosure Stance

In the late 2000’s RSnake began a thread on the sla.ckers.org forum entitled “So it begins” which was a massive thread of various different cross site scripting attacks that were found in hundreds and then eventually over 1000 different websites proving how vulnerable modern web applications were. The majority of the flaws were found by RSnake himself. The thread ended up causing a backlash from a number of large companies and security vendors who were in favor of a non-disclosure policy whereby security researchers contact the companies privately and thereby making it possible to fix the issues without attackers being able to leverage the issue. RSnake’s point was that by failing to publicly disclose the issues, it made it more difficult to explain the prevalence of security flaws in modern web applications. [45]


Windows Help Centre Vulnerability

Tavis Ormandy, a Google employee, found an issue within Windows Help Centre and disclosed it publicly without going through the responsible disclosure process. On his blog, RSnake challenged Google to follow its own rules and fire Tavis Ormandy or stop requiring other hackers to follow responsible disclosure rules. This led to backlash on RSnake’s blog from the industry who felt that RSnake was unfairly calling for Tavis’ termination and that the exploit was not Google sponsored despite the evidence that Tavis worked for Google and coordinated the disclosure with his manager at the time, MichaƂ Zalewski. [32] Google eventually capitulated by starting Project Zero which largely solved the issue of how Google dealt with 3rd party vulnerability disclosures. RSnake ultimately stopped writing on his ha.ckers.org blog and eventually shut the site down after the 1000th blog post in part due to the incident. [3]


Hack The Pentagon

In 2016 and after multiple invitations into the “Hack the Pentagon” program run by HackerOne, RSnake was apparently almost arrested by the United States Department of Defense for going out of scope during the reconnaissance phase of the government-sanctioned bug bounty program. The arrest never took place, presumably due to pressure from the US Digital Services on the Department of the Army to save face. This led to a change of policy that now allows hackers to safely disclose vulnerabilities that they may find in the DoD without fear of retribution. It is colloquially referred to the “see something say something” policy. [25][42]


Musk vs Twitter

In 2017, RSnake worked with an unnamed internal employee at Twitter to create a project designed to fix the perceived “bot problem” after the 2016 election. As a result of this unnamed Twitter employee’s attempt to notify the executives and fix the problem, the employee was ultimately let go by Twitter and the project concept was abandoned. Unfixed, the bot problem eventually culminated in a lawsuit following Elon Musk’s attempted takeover of Twitter, where the existence and prevalence of bots on the Twitter platform became the central issue involving the valuation of the company. [43]


Jan 6th Commission Report

In 2022, RSnake discussed with both Morgan Warstler and John Robison their involvement in discussing alternative methods of bypassing the election process with Donald Trump on November 10th, a week after the election at the Oval office. [47][48] Subsequently, The RSnake Show was referenced as background material within the Jan 6th Commission Report corroborating the evidence that Morgan Warstler was indeed in charge of the Twitter account used to admit to his visiting the Whitehouse and that states can choose their electors, overriding the popular vote. [49]


James Flom/Shannon Norton Murder-Suicide

April 27 2023, James Flom and Shannon Norton were found dead in her home, by apparent murder-suicide an estimated 4 days prior, where James shot and killed Shannon and then himself. James was RSnake’s long time best-friend and former business partner. The controversy around the tragedy was the depiction as a domestic dispute by the press and twitter commentators [50], but RSnake has come out against this characterization as it is far more likely the cause of undetected chronic traumatic encephalopathy (CTE) due to repeated brain traumas and a decline causing subsequent violent auditory hallucinations.

Works

  • Fogie, Seth; Grossman, Jeremiah; Hansen, Robert; Rager, Anton; Petkov, Petko (2007). XSS Attacks: Cross Site Scripting Exploits and Defense (1 ed.). Rockland, MA: Syngress. ISBN 978-1597491549.
  • Hansen, Robert (2009). Detecting Malice (1 ed.). Austin, TX: Self-publishing. ISBN 978-0-557-18733-1.
  • Grossman, Jeremiah; Hansen, Robert; Manico, Jim; Tittel Ed (2014). Website Security for Dummies (1 ed.). Hoboken, New Jersey: John Wiley & Sons, Inc. ISBN 979-1-118-80138-3.
  • Hansen, Robert (2024). AI’s Best Friend. Austin, TX: RSnake, LLC ISBN 979-8-8-804-1527-4.

References

  1. Grossman, Jeremiah. “Bit Discovery About”.
  2. Hansen, Robert. “The Chilling Effect”.
  3. Fisher, Dennis. “How I Got Here: Robert “RSnake” Hansen”.
  4. Hansen, Robert. “EHAP FAQ”.
  5. Hansen, Robert. “The Happy Hacker”.
  6. Csencsits, Sonia. “COMPUTER CHILD PORN FIGHTERS FOLLOW RULES * THE GROUP LED POLICE TO A BETHLEHEM MAN”.
  7. Radcliff, Deborah. “Hacking away at kiddie porn”.
  8. “The Black Hat Briefings Conference List of Speakers at www.blackhat.com”www.blackhat.com.
  9. Grossman, Jeremiah. “Hacking Intranet Website from the Outside”.
  10. Grossman, Jeremiah. “Jeremiah Grossman & Robert Hansen: Hacking Intranet Websites from the Outside (Take 2) – “Fun with and without JavaScript malware”.
  11. Hansen, Robert. “Acutrust Entropy Attacks”.
  12. Hansen, Robert. “XSS Cheatsheet – Esp for Filter Evasion”.
  13. Hansen, Robert. “DNS Rebinding”.
  14. Hansen, Robert. “Fierce Domain Scan”.
  15. Fisher, Dennis. “New attack class exploits intranet weaknesses”.
  16. Hansen, Robert. “DEF CON 17 – Sam Bowne – Hijacking Web 2.0 Sites with SSLstrip”.
  17. Hansen, Robert. “Owasp5005 – J. Grossman/R. Hansen – New Zero-Day Browser Exploits -ClickJacking”.
  18. Hansen, Robert. “ClickJacking”.
  19. Flom, James. “Hacking Ha.ckers.org” (PDF).
  20. Hansen, Robert. “HTTPS Can Byte Me”.
  21. Hansen, Robert. “And Beyond…”
  22. Knapp, Alex. “Stratfor Back Online; CEO Decries Hacking As Censorship”.
  23. Hansen, Robert. “DEF CON 16 – Tom Stracener & Robert Hansen: Xploiting Google Gadgets: Gmalware and Beyond”.
  24. Moss, Jeff. “Blackhat Review Board”.
  25. Jones, Mike. “H4unt3d Hacker #43 Robert “RSnake” Hansen”.
  26. Scharr, Jill. “Aviator: Hands-On With the Most Secure Web Browser”.
  27. Makuch, Ben. “VICE Cyberwar S1E1”.
  28. Hansen, Robert. “Magic Hashes”.
  29. Hansen, Robert. “North Korea’s Naenara Web Browser: It’s Weirder Than We Thought”.
  30. Hansen, Robert. “Python NaN Injection”.
  31. Snyder, Window. “Mike Shaver Ten Days and Expletives”.
  32. Hansen, Robert. “Windows Help Centre Vuln”.
  33. Tenable. “Tenable Completes Acquisition of Bit Discovery and Announces Tenable.asm for External Attack Surface Management”.
  34. Lemos, Robert “Tenable’s Bit Discovery Buy Underscores Demand for Deeper Visibility of IT Assets”
  35. Wilson, Tim “Researcher: Popular Internal IP Addressing Scheme Could Leave Enterprises Vulnerable”
  36. Jackson Higgins, Kelly “RSnake, Unmasked”
  37. Jackson Higgins, Kelly “Adobe Flash Player Fix Stops ‘Clickjacking’”
  38. Hulme, George “Adobe (Somewhat) Fixes ClickJacking Vulnerability”
  39. Claburn, Thomas “‘Clickjacking’ Attack Prompts Warning To Disable Browser Plug-Ins”
  40. Claburn, Thomas “Clickjacking Attack Lets Web Sites See, Hear You”
  41. IMDB “Lion Spy
  42. Hansen, Robert. “S02E11 – Alex Romero (The RSnake Show)
  43. Hansen, Robert. “S01E01 – Raymond Kaminski (The RSnake Show)
  44. InfoconDB “Xploiting Google Gadgets: Gmalware and Beyond
  45. Berinato, Scott (CSO Online) “The Chilling Effect
  46. Hansen, Robert “S03E04- Hacking for Good, Being Spied On, and Cybersecurity w/ James Flom
  47. Hansen, Robert “S01E10 – Anarcho-Capitalism, Communism, UBI and Economics w/Morgan Warstler
  48. Hansen, Robert “S02E09 – Homosexuality, Hollywood and Intolerance w/ John Robison
  49. U.S. GOVERNMENT PUBLISHING OFFICE, “FINAL REPORT Select Committee to Investigate the January 6th Attack on the United States Capitol
  50. Twitter, k8em0