Gareth Heyes

Consultant

Blackburn, United Kingdom27 yrs 8 mos experience

Most Likely To SwitchHighly Stable

Key Highlights

Over a decade of experience in offensive web security.
Authored 'JavaScript for Hackers', influencing security practices.
Developed tools enhancing Burp Suite's detection capabilities.

Stackforce AI infers this person is a Cybersecurity expert specializing in web application security and vulnerability research.

Contact

Skills

Core Skills

Web Application SecuritySecurity ResearchWeb Development

Other Skills

ApacheApplication SecurityBurp SuiteCSSCSS3Cascading Style Sheets (CSS)Chrome Extension DevelopmentCloud ComputingCode ReviewComputer SecurityCybersecurityFront-endFuzzingHTMLHTML5

About

I’m a security researcher passionate about breaking the web in creative ways so others can build it back stronger. With over a decade of experience uncovering cutting-edge browser exploits, bypasses, and XSS techniques, I’ve helped shape the field of offensive web security. Currently at PortSwigger, the makers of Burp Suite, I spend my time fuzzing the edge cases of JavaScript, HTML, and browser parsers - often discovering new ways to weaponise overlooked features. I’m the author of JavaScript for Hackers, a practical guide to thinking like an attacker and exploiting real-world web apps using advanced JavaScript payloads and techniques. My work has influenced security tools, WAF evasions, CSP research, and continues to push the boundaries of what’s possible in modern web attacks.

Experience

27 yrs 8 mos

Total Experience

3 yrs 5 mos

Average Tenure

11 yrs 1 mo

Current Experience

Portswigger web security

Researcher

Apr 2015 – Present · 11 yrs 1 mo · Knutsford

At PortSwigger, I research cutting-edge web vulnerabilities with a focus on browser parsing quirks, DOM-based attacks, and XSS. I’ve helped shape the detection capabilities of Burp Suite through in-depth analysis of HTML, JavaScript, and CSS edge cases—often uncovering new classes of vulnerabilities.
I’m the creator of Hackvertor, a Burp BApp used widely by security professionals to transform and encode payloads dynamically. I also helped develop DOM Invader, a powerful tool for detecting client-side issues like DOM XSS and prototype pollution.

XSSJavaScriptHTMLCSSBurp SuiteFuzzing+2

Cloud1990

Software Developer

Apr 2014 – Mar 2015 · 11 mos · Barrowford

My main duties are web design and development as well as developing a cloud based ERP solution.

Web DesignWeb DevelopmentCloud Computing

Fairpoint

Senior Web Developer

Nov 2013 – Mar 2014 · 4 mos · Manchester, United Kingdom

I moved back into Web Development as a Senior PHP developer working on web applications and rest services.

PHPWeb ApplicationsREST ServicesWeb Development

Microsoft

Independent Security Researcher

Jul 2008 – May 2013 · 4 yrs 10 mos · Remote working

I worked for Microsoft in a special program for security testing. My main focus is security research for Microsoft. I was contracted to research the IE8 XSS filter which involves developing high level XSS vectors and bypassing the filter, developing targeted fuzzers, verification of fixes and developing new techniques.

XSSFuzzingSecurity TestingSecurity Research

Ignition nbs ltd

Senior web developer

Jan 2003 – Jul 2008 · 5 yrs 6 mos · Haslingden

Whilst working at Ignition I was responsible for the design and development or various SaaS (Software
as a service) products. I constructed an insurance broker management system which coordinated and organized large datasets from external data providers such as the PH group. This data was used by brokers to calculate the best time to call a client and manage their mail shots. This involved a PHP backend with a mysql database server and the system had various levels of access control.

PHPMySQLSaaSWeb Development