Whoami

Anton Lopanitsyn

Web application security researcher. Current Location: Moscow, Russia

Blog: https://bo0om.ru

Twitter: @i_bo0om

Telegram channel: @webpwn

Penetration testing for business https://vulner.ru

Exploit & hacktool search engine https://sploitus.com

Antifraud for everyone https://antibot.ru

Leak finder https://passleak.com

---

Skills:

• Web application security research;
• Browser security and client-side exploits;
• Web Application Firewall development and evasion;
• Vulnerability scanning automation.

Achievements:

• Experienced public speaker (more than 20 presentation);
• CVEs in browsers;
• Active researcher, lots of publications and whitepapers;
• Received bug bounties from Microsoft, Google, Twitter, LinkedIn, Yandex, Cloudflare, VK.com, QIWI, Mail.ru, etc;
• Nominated for the Top 10 web hacking technologies in 2017 and 2018;

---

Activities

Urban.Tech Moscow

First place in the category "searching for vulnerabilities"

https://www.vtbcareer.com/about/news/vtb-nagradil-uchastnikov-khakatona-urban-tech-moscow-v-nominatsii-finansy-/

https://www.kp.ru/daily/27063/4131459/

Wallarm Research Team:

https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa

https://lab.wallarm.com/the-good-the-bad-and-the-ugly-of-safari-in-client-side-attacks-56d0cb61275a

https://lab.wallarm.com/hunting-the-files-34caa0c1496

https://lab.wallarm.com/blind-ssrf-exploitation/

Nominations:

https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017-nominations-open

https://portswigger.net/blog/top-10-web-hacking-techniques-of-2018-nominations-open

Xakep magazine:

https://xakep.ru/author/bo0om/

Other:

https://hackerone.com/bo0om

https://github.com/Bo0oM

---

Whitepapers & Publications

Hosting dashboard web application logic vulnerabilities

• http://2013.zeronights.org
• https://www.slideshare.net/DefconRussia/dmitry-boomov-hosting-dashboard-web-application-logic-vulnerabilities

There's Nothing so Permanent as Temporary

• http://2014.phdays.com/program/fast-track/36818/

De-anonymization and total espionage

• http://2014.zeronights.org/conference/agenda.html#boomov

"You're so funny", about funny vulnerabilities in web applications. Mail.ru Security Meetup

• https://corp.mail.ru/ru/press/events/SecurityMeetup/

Not by Nmap Alone

• http://2015.phdays.com/program/40913/

Geek Picnic 2015 - Big Brother is watching you

• https://geek-picnic.me/
• https://www.slideshare.net/ssusera0a306/geek-picni

Security of payment systems and banks

• https://www.slideshare.net/ssusera0a306/15062016-65895810

VolgaCTF 2016 - DNS and attacks

• https://www.slideshare.net/ssusera0a306/volgactf-bo0om-dns-and-attacks

Defcon KZ 2016 - Website reconnaissance tools

• https://www.slideshare.net/ssusera0a306/ss-67913818

A blow under the belt. How to avoid WAF/IPS/DLP

• https://2016.zeronights.org/conference-materials/presentations/
• https://www.slideshare.net/ssusera0a306/zeronights-2016-a-blow-under-the-belt-how-to-avoid-wafipsdlp-wafipsdlp

KazHackStan 2017 | Tracking

• https://www.slideshare.net/ssusera0a306/kazhackstan-2017-tracking

Armsec 2017 | 2 bugs 1 safari

• https://armsec.org/
• https://www.slideshare.net/ssusera0a306/armsec-2017-2-bugs-1-safari

User-friendly, though. (Messaging bots expose sensitive data)

• http://2017.phdays.com/program/231384/

Safety for paranoids. Everything is bad.

• http://2017.russianinternetweek.ru/en/forum/program/1/640

ZeroNights Web Village Organizer

• https://2017.zeronights.org/program/web-village/

Web Application Cache Poisoning Mail.ru Security Meetup

• https://corp.mail.ru/ru/press/events/444/

Defcon Russia 2017 - Google Glass with AI

• https://www.slideshare.net/ssusera0a306/defcon-russia-2017-bo0om-vs

VolgaCTF 2018 - Neatly bypassing CSP

• https://www.slideshare.net/ssusera0a306/volgactf-2018-neatly-bypassing-csp

KazHackStan - "><script>alert()</script>

• https://kazhackstan.kz/#program

Defcon DC7499 Meetup - Param-pam-pam

• https://www.slideshare.net/ssusera0a306/dc7499-parampampam

Offzone | Another waf bypass

• https://2018.offzone.moscow/report/alternativnyy-obkhod-waf-cheat-sheet/

Speaker on SK Cyberday

• https://sk.ru/foundation/events/november2018/cyberday/

ZeroNights 2018 | Race Condition Tool

• https://www.slideshare.net/ssusera0a306/zeronights-2018-race-condition-tool

• https://github.com/racepwn/racepwn

ZeroNights 2018 | I <"3 XSS

• https://www.slideshare.net/ssusera0a306/zeronights-2018-i-3-xss

PartyHack 2019 | How I hack the telegram

• https://partyhack.ru

2000-day in Safari

• https://www.phdays.com/en/program/reports/2000-day-in-safari/

Zeronights 2019 | Phoenix hunting

• https://zeronights.ru/en/program-en/

ZeroNights Web Village Organizer

• https://zeronights.ru/en/program-en/

OWASP Moscow Meetup #9

• https://www.meetup.com/ru-RU/OWASP-Moscow/events/266925142/

Wallarm Meetup 08.2020

• https://speakerdeck.com/bo0om/interpret-it

Server-side request forgery via ftp account

• https://speakerdeck.com/bo0om/ftp2rce

Funny vulnerabilities especially for Fool's Day

• https://speakerdeck.com/bo0om/your-back-is-white

ZeroNights 2021 | 31337

• https://speakerdeck.com/bo0om/bo0om-zn2021

KHS | Defending against automatization

• https://speakerdeck.com/bo0om/khs-bo0om

HighLoad++ | Protection against malicious automation

• https://speakerdeck.com/bo0om/zashchita-ot-vriedonosnoi-avtomatizatsii-sieghodnia