Monday, June 11, 2007

Reflection on pdp


This week on reflection we have Petko D Petkov (popularly known as pdp). pdp has been active in the webappsec community for sometime now. He has written many articles and published many tools. Two of his more popular tools are Attack API and Technika (firefox extension). He is also a co-author of the book XSS Exploits: Attacks and Defense. Recently he presented on Advanced Web Hacking Revealed in OWASP Appsec Conference in Italy 2007. In his reflection pdp shares with us how he got started in webappsec field. In his own words

“I have always been fascinated by the power of Web but it was around year 2000 when I got into web application security. Other then that, my interests towards IT security has been growing since 1995. Funny enough, it was "Hackers", the movie that sort of inspired me to spend my time on solving interesting problems with my not-so-advance for that time PC, rather then wasting time on games. Back then, I had 286 MHz "Pravetz", produced in Bulgaria. One of the first projects of mine was a simple calculator that was also password protected. When I finished the project, I also learned how to trick the password protection mechanism by modifying the jumper inside the program binary. That was fun. The Bulgarian underground scene used to be a great resource for me to learn. I started reading an online-zine called Phreadom. I am still looking for the old issues but I guess they are somehow lost forever.

I started hacking from the time I learned how to program. My Dad told me that programming is one of the few professions out there that teaches you about the world in general since programmers try to reflect real world problems into easy to maintain and use software products. That made me start thinking outside the box. I define myself as a life-hacker. I guess this is the reason why I am where I am today. When I came to UK I didn't wanted to waste time so I did a lot of security related projects. This is when my IT Security career started. I was 18 I was doing the stuff that I wanted to do all my life.”

Based out of london, UK, pdp is only 22 years old. Below is a list of his contributions to the webappsec community.


Books:-

XSS Attacks: Exploits and Defense
http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149?ie=UTF8&s=books

Articles:-

The Web has Betrayed Us
http://www.gnucitizen.org/blog/the-web-has-betrayed-us

Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell

Preventing CSRF
http://www.gnucitizen.org/blog/preventing-csrf

Sex, Candies and Bookmarklet Exploits
http://www.gnucitizen.org/blog/sex-candies-and-bookmarklet-exploits

The Machine is Using Us
http://www.gnucitizen.org/blog/the-machine-is-using-us

Playing in Large
http://www.gnucitizen.org/blog/playing-in-large

Universal PDF XSS After Party
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party

Danger Danger Danger
http://www.gnucitizen.org/blog/danger-danger-danger

Web OS
http://www.gnucitizen.org/blog/web-os

Cross-site Request Forgery
http://www.gnucitizen.org/blog/cross-site-request-forgery

The 0XSS Credo
http://www.gnucitizen.org/blog/the-0xss-credo

The Backdooring Series:
http://www.gnucitizen.org/blog/backdooring-images
http://www.gnucitizen.org/blog/backdooring-mp3-files
http://www.gnucitizen.org/blog/backdooring-quicktime-movies
http://www.gnucitizen.org/blog/backdooring-flash-objects-receipt
http://www.gnucitizen.org/blog/backdooring-flash-objects
http://www.gnucitizen.org/blog/backdooring-web-pages

The XSSing the Lan Series:
http://www.gnucitizen.org/blog/xssing-the-lan-4
http://www.gnucitizen.org/blog/xssing-the-lan-3
http://www.gnucitizen.org/blog/xssing-the-lan-2
http://www.gnucitizen.org/blog/xssing-the-lan


Presentation:-

Advanced Web hacking revealed
http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda


Tools written by him:-

Some of the tools published by him

JavaScript YPipes Spider
http://www.gnucitizen.org/projects/6th-owasp-conference/spider.htm

JavaScript TinyURL Filesystem
http://www.gnucitizen.org/projects/6th-owasp-conference/tinyfs.htm

Google Hacking Database Interface
http://www.gnucitizen.org/applications/ghdb

JavaScript Port Scanner
http://www.gnucitizen.org/projects/javascript-port-scanner

Greasemonkey Backdoor
http://www.gnucitizen.org/projects/greasecarnaval

Exploit Development Environment for Firefox
http://www.gnucitizen.org/projects/technika

Geo position Zombies on a map
http://www.gnucitizen.org/applications/zombiemap

Attack Framework for controlling zombies
http://www.gnucitizen.org/applications/backframe

simple JavaScript tesing framework
http://www.gnucitizen.org/projects/firetest

powerful JavaScript based attack library
http://www.gnucitizen.org/projects/attackapi

The Cross-site Scripting database
http://www.gnucitizen.org/applications/xssdb

Powerful and very customizable attack communication channel
http://www.gnucitizen.org/projects/javascript-attack-channel

Set of utilities useful when performing enumeration attacks
http://www.gnucitizen.org/projects/met


Company working for:-

NTA-Monitor


Email:-

pdp__at__gnucitizen_dot_org


Blog:-

gnucitizen.org


Web:-

gnucitizen.org


Companies worked for:-

Freelance


Pdp has a vast knowledge of different technologies and frameworks available on the internet. If you are not already following his blog, then I would recommend doing so. He brings up some good points for webappsec community.

Last Week – Saumil Shah
Next Week – Alex Stamos

No comments: