Skip to content
View Bo0oM's full-sized avatar
💣
3, 2, 1...
💣
3, 2, 1...

Block or report Bo0oM

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
Bo0oM/README.md

Whoami

Anton Lopanitsyn

Web application security researcher. Current Location: Moscow, Russia

Blog: https://bo0om.ru

Twitter: @i_bo0om

Telegram channel: @webpwn

Penetration testing for business https://vulner.ru

Exploit & hacktool search engine https://sploitus.com

Antifraud for everyone https://antibot.ru

Leak finder https://passleak.com


Skills:

  • Web application security research;
  • Browser security and client-side exploits;
  • Web Application Firewall development and evasion;
  • Vulnerability scanning automation.

Achievements:

  • Experienced public speaker (more than 20 presentation);
  • CVEs in browsers;
  • Active researcher, lots of publications and whitepapers;
  • Received bug bounties from Microsoft, Google, Twitter, LinkedIn, Yandex, Cloudflare, VK.com, QIWI, Mail.ru, etc;
  • Nominated for the Top 10 web hacking technologies in 2017 and 2018;

Activities

Urban.Tech Moscow

First place in the category "searching for vulnerabilities"

https://www.vtbcareer.com/about/news/vtb-nagradil-uchastnikov-khakatona-urban-tech-moscow-v-nominatsii-finansy-/

https://www.kp.ru/daily/27063/4131459/

Wallarm Research Team:

https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa

https://lab.wallarm.com/the-good-the-bad-and-the-ugly-of-safari-in-client-side-attacks-56d0cb61275a

https://lab.wallarm.com/hunting-the-files-34caa0c1496

https://lab.wallarm.com/blind-ssrf-exploitation/

Nominations:

https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017-nominations-open

https://portswigger.net/blog/top-10-web-hacking-techniques-of-2018-nominations-open

Xakep magazine:

https://xakep.ru/author/bo0om/

Other:

https://hackerone.com/bo0om

https://github.com/Bo0oM


Whitepapers & Publications

Hosting dashboard web application logic vulnerabilities

There's Nothing so Permanent as Temporary

De-anonymization and total espionage

"You're so funny", about funny vulnerabilities in web applications. Mail.ru Security Meetup

Not by Nmap Alone

Geek Picnic 2015 - Big Brother is watching you

Security of payment systems and banks

VolgaCTF 2016 - DNS and attacks

Defcon KZ 2016 - Website reconnaissance tools

A blow under the belt. How to avoid WAF/IPS/DLP

KazHackStan 2017 | Tracking

Armsec 2017 | 2 bugs 1 safari

User-friendly, though. (Messaging bots expose sensitive data)

Safety for paranoids. Everything is bad.

ZeroNights Web Village Organizer

Web Application Cache Poisoning Mail.ru Security Meetup

Defcon Russia 2017 - Google Glass with AI

VolgaCTF 2018 - Neatly bypassing CSP

KazHackStan - "><script>alert()</script>

Defcon DC7499 Meetup - Param-pam-pam

Offzone | Another waf bypass

Speaker on SK Cyberday

ZeroNights 2018 | Race Condition Tool

ZeroNights 2018 | I <"3 XSS

PartyHack 2019 | How I hack the telegram

2000-day in Safari

Zeronights 2019 | Phoenix hunting

ZeroNights Web Village Organizer

OWASP Moscow Meetup #9

Wallarm Meetup 08.2020

Server-side request forgery via ftp account

Funny vulnerabilities especially for Fool's Day

ZeroNights 2021 | 31337

KHS | Defending against automatization

HighLoad++ | Protection against malicious automation

Pinned Loading

  1. Safiler Safiler Public

    Safari local file reader

    Python 122 21

  2. fuzz.txt fuzz.txt Public

    Potentially dangerous files

    2.9k 493

  3. CVE-2017-7089 CVE-2017-7089 Public

    Webkit uxss exploit (CVE-2017-7089)

    HTML 64 13

  4. CVE-2017-5124 CVE-2017-5124 Public

    Chrome < 62 uxss exploit (CVE-2017-5124)

    PHP 161 29