Reflection on pdp
This week on reflection we have Petko D Petkov (popularly known as pdp). pdp has been active in the webappsec community for sometime now. He has written many articles and published many tools. Two of his more popular tools are Attack API and Technika (firefox extension). He is also a co-author of the book XSS Exploits: Attacks and Defense. Recently he presented on Advanced Web Hacking Revealed in OWASP Appsec Conference in Italy 2007. In his reflection pdp shares with us how he got started in webappsec field. In his own words
“I have always been fascinated by the power of Web but it was around year 2000 when I got into web application security. Other then that, my interests towards IT security has been growing since 1995. Funny enough, it was "Hackers", the movie that sort of inspired me to spend my time on solving interesting problems with my not-so-advance for that time PC, rather then wasting time on games. Back then, I had 286 MHz "Pravetz", produced in Bulgaria. One of the first projects of mine was a simple calculator that was also password protected. When I finished the project, I also learned how to trick the password protection mechanism by modifying the jumper inside the program binary. That was fun. The Bulgarian underground scene used to be a great resource for me to learn. I started reading an online-zine called Phreadom. I am still looking for the old issues but I guess they are somehow lost forever.
I started hacking from the time I learned how to program. My Dad told me that programming is one of the few professions out there that teaches you about the world in general since programmers try to reflect real world problems into easy to maintain and use software products. That made me start thinking outside the box. I define myself as a life-hacker. I guess this is the reason why I am where I am today. When I came to UK I didn't wanted to waste time so I did a lot of security related projects. This is when my IT Security career started. I was 18 I was doing the stuff that I wanted to do all my life.”
Based out of london, UK, pdp is only 22 years old. Below is a list of his contributions to the webappsec community.
Books:-
XSS Attacks: Exploits and Defense
http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149?ie=UTF8&s=books
Articles:-
The Web has Betrayed Us
http://www.gnucitizen.org/blog/the-web-has-betrayed-us
Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell
Preventing CSRF
http://www.gnucitizen.org/blog/preventing-csrf
Sex, Candies and Bookmarklet Exploits
http://www.gnucitizen.org/blog/sex-candies-and-bookmarklet-exploits
The Machine is Using Us
http://www.gnucitizen.org/blog/the-machine-is-using-us
Playing in Large
http://www.gnucitizen.org/blog/playing-in-large
Universal PDF XSS After Party
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party
Danger Danger Danger
http://www.gnucitizen.org/blog/danger-danger-danger
Web OS
http://www.gnucitizen.org/blog/web-os
Cross-site Request Forgery
http://www.gnucitizen.org/blog/cross-site-request-forgery
The 0XSS Credo
http://www.gnucitizen.org/blog/the-0xss-credo
The Backdooring Series:
http://www.gnucitizen.org/blog/backdooring-images
http://www.gnucitizen.org/blog/backdooring-mp3-files
http://www.gnucitizen.org/blog/backdooring-quicktime-movies
http://www.gnucitizen.org/blog/backdooring-flash-objects-receipt
http://www.gnucitizen.org/blog/backdooring-flash-objects
http://www.gnucitizen.org/blog/backdooring-web-pages
The XSSing the Lan Series:
http://www.gnucitizen.org/blog/xssing-the-lan-4
http://www.gnucitizen.org/blog/xssing-the-lan-3
http://www.gnucitizen.org/blog/xssing-the-lan-2
http://www.gnucitizen.org/blog/xssing-the-lan
Presentation:-
Advanced Web hacking revealed
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda
Tools written by him:-
Some of the tools published by him
JavaScript YPipes Spider
http://www.gnucitizen.org/projects/6th-owasp-conference/spider.htm
JavaScript TinyURL Filesystem
http://www.gnucitizen.org/projects/6th-owasp-conference/tinyfs.htm
Google Hacking Database Interface
http://www.gnucitizen.org/applications/ghdb
JavaScript Port Scanner
http://www.gnucitizen.org/projects/javascript-port-scanner
Greasemonkey Backdoor
http://www.gnucitizen.org/projects/greasecarnaval
Exploit Development Environment for Firefox
http://www.gnucitizen.org/projects/technika
Geo position Zombies on a map
http://www.gnucitizen.org/applications/zombiemap
Attack Framework for controlling zombies
http://www.gnucitizen.org/applications/backframe
simple JavaScript tesing framework
http://www.gnucitizen.org/projects/firetest
powerful JavaScript based attack library
http://www.gnucitizen.org/projects/attackapi
The Cross-site Scripting database
http://www.gnucitizen.org/applications/xssdb
Powerful and very customizable attack communication channel
http://www.gnucitizen.org/projects/javascript-attack-channel
Set of utilities useful when performing enumeration attacks
http://www.gnucitizen.org/projects/met
Company working for:-
NTA-Monitor
Email:-
pdp__at__gnucitizen_dot_org
Blog:-
gnucitizen.org
Web:-
gnucitizen.org
Companies worked for:-
Freelance
Pdp has a vast knowledge of different technologies and frameworks available on the internet. If you are not already following his blog, then I would recommend doing so. He brings up some good points for webappsec community.
Last Week – Saumil Shah
Next Week – Alex Stamos
“I have always been fascinated by the power of Web but it was around year 2000 when I got into web application security. Other then that, my interests towards IT security has been growing since 1995. Funny enough, it was "Hackers", the movie that sort of inspired me to spend my time on solving interesting problems with my not-so-advance for that time PC, rather then wasting time on games. Back then, I had 286 MHz "Pravetz", produced in Bulgaria. One of the first projects of mine was a simple calculator that was also password protected. When I finished the project, I also learned how to trick the password protection mechanism by modifying the jumper inside the program binary. That was fun. The Bulgarian underground scene used to be a great resource for me to learn. I started reading an online-zine called Phreadom. I am still looking for the old issues but I guess they are somehow lost forever.
I started hacking from the time I learned how to program. My Dad told me that programming is one of the few professions out there that teaches you about the world in general since programmers try to reflect real world problems into easy to maintain and use software products. That made me start thinking outside the box. I define myself as a life-hacker. I guess this is the reason why I am where I am today. When I came to UK I didn't wanted to waste time so I did a lot of security related projects. This is when my IT Security career started. I was 18 I was doing the stuff that I wanted to do all my life.”
Based out of london, UK, pdp is only 22 years old. Below is a list of his contributions to the webappsec community.
Books:-
XSS Attacks: Exploits and Defense
http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149?ie=UTF8&s=books
Articles:-
The Web has Betrayed Us
http://www.gnucitizen.org/blog/the-web-has-betrayed-us
Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell
Preventing CSRF
http://www.gnucitizen.org/blog/preventing-csrf
Sex, Candies and Bookmarklet Exploits
http://www.gnucitizen.org/blog/sex-candies-and-bookmarklet-exploits
The Machine is Using Us
http://www.gnucitizen.org/blog/the-machine-is-using-us
Playing in Large
http://www.gnucitizen.org/blog/playing-in-large
Universal PDF XSS After Party
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party
Danger Danger Danger
http://www.gnucitizen.org/blog/danger-danger-danger
Web OS
http://www.gnucitizen.org/blog/web-os
Cross-site Request Forgery
http://www.gnucitizen.org/blog/cross-site-request-forgery
The 0XSS Credo
http://www.gnucitizen.org/blog/the-0xss-credo
The Backdooring Series:
http://www.gnucitizen.org/blog/backdooring-images
http://www.gnucitizen.org/blog/backdooring-mp3-files
http://www.gnucitizen.org/blog/backdooring-quicktime-movies
http://www.gnucitizen.org/blog/backdooring-flash-objects-receipt
http://www.gnucitizen.org/blog/backdooring-flash-objects
http://www.gnucitizen.org/blog/backdooring-web-pages
The XSSing the Lan Series:
http://www.gnucitizen.org/blog/xssing-the-lan-4
http://www.gnucitizen.org/blog/xssing-the-lan-3
http://www.gnucitizen.org/blog/xssing-the-lan-2
http://www.gnucitizen.org/blog/xssing-the-lan
Presentation:-
Advanced Web hacking revealed
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda
Tools written by him:-
Some of the tools published by him
JavaScript YPipes Spider
http://www.gnucitizen.org/projects/6th-owasp-conference/spider.htm
JavaScript TinyURL Filesystem
http://www.gnucitizen.org/projects/6th-owasp-conference/tinyfs.htm
Google Hacking Database Interface
http://www.gnucitizen.org/applications/ghdb
JavaScript Port Scanner
http://www.gnucitizen.org/projects/javascript-port-scanner
Greasemonkey Backdoor
http://www.gnucitizen.org/projects/greasecarnaval
Exploit Development Environment for Firefox
http://www.gnucitizen.org/projects/technika
Geo position Zombies on a map
http://www.gnucitizen.org/applications/zombiemap
Attack Framework for controlling zombies
http://www.gnucitizen.org/applications/backframe
simple JavaScript tesing framework
http://www.gnucitizen.org/projects/firetest
powerful JavaScript based attack library
http://www.gnucitizen.org/projects/attackapi
The Cross-site Scripting database
http://www.gnucitizen.org/applications/xssdb
Powerful and very customizable attack communication channel
http://www.gnucitizen.org/projects/javascript-attack-channel
Set of utilities useful when performing enumeration attacks
http://www.gnucitizen.org/projects/met
Company working for:-
NTA-Monitor
Email:-
pdp__at__gnucitizen_dot_org
Blog:-
gnucitizen.org
Web:-
gnucitizen.org
Companies worked for:-
Freelance
Pdp has a vast knowledge of different technologies and frameworks available on the internet. If you are not already following his blog, then I would recommend doing so. He brings up some good points for webappsec community.
Last Week – Saumil Shah
Next Week – Alex Stamos
No comments:
Post a Comment