Petko D. Petkov


Petko D. Petkov, a.k.a pdp, is founder and leading member of the GNUCITIZEN Information Security Think Tank. pdp is a recognized information security researcher, security tools developer, penetration tester, frequent speaker at industry recognized events, and published author who has contributed to several best-selling books, numerous popular blogs and online magazines. more

Landing Proxify

I am really happy to announce the first release of proxify. I started writing this tool several years ago but I was never able to finished it. The first release (version 1.0) is now available for download on all platforms: Linux, Mac and Windows.

What is Proxify

The idea behind Proxify is to create a proxy that is just good at doing proxying. It is the proxy of all proxies so-to-say. [...]

more | comments | comments rss | posted by

Fuzzing XML and JSON Pt.1

It is hard to get back to blogging especially when there are easier alternatives to scratch your itch – I am talking about twitter. However, I decided to make the effort and see where it takes me. It will be difficult initially but practice leads to continuous improvement.

What I would like to do is to highlight some of the work I did to take two relatively simple and straightforward penetration testing practices to the next level: this is XML and JSON fuzzing. [...]

more | comments | comments rss | posted by

You and Your Research

This is really one of my favourite talks from this year’s HITB in KL.

@haroonmeer did an exceptional job at describing what it takes to produce an exceptional piece of work/research and the various pitfalls and sacrifices one needs to make.

more | comments | comments rss | posted by

Well Websecurify Runs on The iPhone

This is not necessarily news anymore since it was discussed on the Websecurify official blog but we are so excited about it that we could not hold ourselves from posting it here too.

The testing engine used in this particular version of Websecurify is optimized to run with the least possible amount of memory. The results of the scanner are as good as those produced by all other Websecurify variants although in some cases it may miss some statistically unlikely types of issues. [...]

more | comments | comments rss | posted by


I have been avoiding the topic about Stuxnet for quite some time, mainly because there were many others who spent the time to take the virus apart. However, here is a video, which I find rather amusing:

Wether this is the real deal or simply fear mongering, I simply don’t know. It is all speculations at the moment. [...]

more | comments | comments rss | posted by


What is the best way to spend a quiet, weekend afternoon? – Jump off a perfectly working plane while 10,000 feet in the air.

On 5th of July 2009, the GNUCITIZEN team and friends came together to perform a skydiving gig. It has been two months since that day but memories are still as clear as yesterday.

more | comments | comments rss | posted by

Free Web Application Security Testing Tool

Automated Web Application Security Testing tools are in the core of modern penetration testing practices. You cannot rely 100% on the results they produce, without considering seriously their limitations. However, because these tools are so good at picking the low-hanging fruit by employing force and repetition, they still have a place in our arsenal of penetrating testing equipment.

These tools are not unfamiliar to modern day penetration testers. [...]

more | comments | comments rss | posted by

Breaking Into a Home With an iPhone

This is going to be one of these quick posts which just makes you think what the information security landscape will be like in 5 years. Before I move on with my commentary, here is a video which is essential for you to watch.

Got the idea? No? Let me explain. What you see in the video above is an application for the iPhone which gives you detailed characteristics of properties (houses) in USA. [...]

more | comments | comments rss | posted by

Extensions at War

Oh yes, the digital battlefield is taking unusual shapes. The latest manifestation of cyber warfare is a conflict between the Adblock Plus and the NoScript extensions. The story goes that NoScript used some JavaScript tactics and, of course, some obfuscations in order to cripple the Adblock Plus functionalities. This attack was a response to Adblock Plus blocking NoScript ads which you see when you upgrade the extension, which as you know happens quite regularly, don’t know why. [...]

more | comments | comments rss | posted by

Exploit Sweatshop

When I was playing/introducing the partial disclosure practice an year and something ago, I did get contacted by numerous dodgy characters willing to buy yet undisclosed vulnerabilities for substantial amount of money. Of course, requests of that nature were kindly ignored. I couldn’t believe that someone was willing to give me so much money for something I virtually spent 2-3 hours maximum to produce. [...]

more | comments | comments rss | posted by