[0x01] My Current Projects

RBS - The Royal Bank of Scotland Group

I'm currently employed as a Penetration Testing Specialist at RBS in Warsaw, Poland. My daily activities include performing security audits and ethical hacking against several online banking systems worldwide.

OWASP Italy

I'm an active member of the OWASP Italy chapter, a worldwide free and open community focused on improving the security of application software.

[0x02] Advisories/Exploits

Here you can find security advisories as well as exploits developed during my vulnerability research activities. Please be aware that I don't accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, these information.

• #[LC-2009-01] ZeroShell <= 1.0beta11 Remote Code Execution
• #[LC-2008-07] DFLabs PTK Local Command Execution (PoC Video)
• #[LC-2008-06] TBA
• #[LC-2008-05] 3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass
• #[LC-2008-04] Nokia Browser Array Sort Denial Of Service Vulnerability
• #[LC-2008-03] TBA
• #[LC-2008-02] TBA
• #HP System Management Homepage (SMH) XSS
• #[SN-2008-01] Philips VOIP841 Multiple Vulnerabilities
• #[SN-2007-03] Simple PHP Blog Multiple Vulnerabilities
• #[SN-2007-02] Boa HTTP Basic Authentication Bypass
• #[SN-2007-01] GCALDaemon Remote DoS
• #[SN-2006-01] Multiple Vulnerabilities in Hummingbird Collaboration
• #[SN-2005-01] Siemens SANTIS 50 Authentication Vulnerability

[0x03] Slides

WebApp Security

• #HTTP Parameter Pollution [PDF, EN]

  During OWASP AppSec EU 2009, Krakow (Poland), me and Stefano Di Paola have presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. During the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules.

• #Apache Tomcat Vulnerabilities [PDF, IT]

  Smau 2008, Milan (Italy). Apache Tomcat is probably one of the most famous implementations of the Java Servlet and JavaServer Pages technologies. Although the ASF considers the security of its products as a requirement of prime importance, several critical vulnerabilities were discovered in the last years. Let's understand these flaws in this talk.

• #You develop. I Hack. [PDF, IT]

  Infosecurity 2008, Milan (Italy). In this speech, I explained the different point of view between developers and penetration testers showing how it is difficult to find a good balance between usability and security.

• #String Analysis for the Detection of Web Application Flaws [PDF, EN]

  In this turbo talk I presented an overview of the input validation flaws, I showed the theoretical aspects of the J.S.E.C. project and the tool, evaluating the effectiveness of this solution during the development of secure web applications. ISSE/SECURE 2007, Warsaw (Poland).

• #J.S.E.C. demo (video) [SWF, EN]

  Demo used during the ISSE/SECURE 2007 speech. Looking for vulnerabilities in OWASP WebGoat using J.S.E.C.

• #Buzzwords Security [PDF, IT]

  At the Italian edition of the OWASP Day Worldwide, I gave this technical talk: how to exploit a WiFi Access Point using XSS and other attack techniques. It's the same presentation used at Smau 2007.

• #String Analysis for the Detection of Web Application Flaws [PDF, EN]

  Slides compiled for CONFidence 2007 in Krakow (Poland).

• #Static Analysis for the Detection of Vulnerabilities in the J2EE Environment [PDF, IT]

  Slides compiled for the public discussion of my master degree thesis at the Politecnico di Milano.

• #Web Application Security (Secure Coding) [PDF, IT]

  Slides compiled for the Linux Day 2005, Somma Lombardo (VA).

Bluetooth Security

• #Risks and threats of Bluetooth-enabled devices [PDF, IT]

  During the Proximity Forum 2008 in Milan (Italy), I showed the risks of the Bluetooth technology to a non-technical audience.

• #The BlueBag Project: from August 2006 to May 2007 [PDF, EN]

  At CONFidence 2007 in Krakow (Poland), I and Claudio Merloni presented our research about Bluetooth Security from August 2006 to May 2007.

• #A Mobile, Covert Bluetooth Attack and Infection Device [PDF, IT]

  Italian version of the Black Hat slides. We presented this speech in several Italian events (Smau 2006, OpenExp 2006, InfoSecurity 2007).

• #A Mobile, Covert Bluetooth Attack and Infection Device [PDF, EN]

  At the USA edition of Black Hat Briefings 2006, I and Claudio Merloni presented the BlueBag, an innovative, mobile and covert device to attack Bluetooth-enabled devices. The same presentation was used during IT Underground 2006 conference in Warsaw, Poland.

• #Bluetooth (In)security [PDF, IT]

  Slides of my talk during Smau 2005, Milan.

Miscellaneous

• #RFID, Security and Privacy [PDF, IT]

  A presentation of the incoming risks related to the RFID (Radio Frequency IDentification) technology. Slides used during OpenEXP 2006; part of this presentation was also used during the main Italian privacy related event in Florence, E-Privacy 2006.

• #The Hacker Ethic: hands on! [PDF, IT]

  A presentation of the "hands on" handbook.

• #Ekahau Position Engine. Preliminary Analysis [PDF, EN]

  Ekahau real-time location system. Back to 2004, this presentation reports an independent experiment made in order to evaluate the reliability of this wireless tracking solution.

[0x04] Articles/Papers

WebApp Security

• #Static Analysis for the Detection of Vulnerabilities in the J2EE Environment [PDF, IT]

  After a while, I decided to publish online my master degree thesis at the Politecnico di Milano regarding the J.S.E.C. project. Unfortunately, it is in Italian only.

• #WebApp Security Tools (v0.2) [PDF, IT]

  This document lists the different categories and the several web app security tools out there. It is intended to provide pure references.

• #OWASP Testing Guide v2 [WWW, EN]

  In the last semester of 2006, I was a contributor of the OWASP Testing Guide, the most well recognized web application penetration testing methodology.

• #Path Traversal [WWW, IT]

  A complete explanation of one of the most dangerous vulnerability and hacking attack technique.

• #Web Software Testing [WWW, IT]

  Black box testing and source code analysis use dual approaches in order to find security flaws. In this article I try to explain the difference between these two analysis methods using OWASP Lapse and Acunetix Web Vulnerability Scanner as examples.

• #OWASP interviews OWASP [WWW, IT]

  An interview with my friend Matteo Meucci about the OWASP Testing guide.

• #WebApp Auditing Software [WWW, IT]

  An introductory article about different software usable to conduct security audits against web applications.

• #WebApp Security from the OWASP point of view [WWW, IT]

  An extensive online article about the OWASP Top Ten vulnerabilities (2004 edition); it could be a good starting point for who want to approach the web application security.

• #WebML/WebRatio Security Audit [PDF, IT]

  Final report of a quick security audit on the data description model WebML and the web applications automatically generated using the tool WebRatio. This document is probably outdated since it was one of my first web app security projects.

Bluetooth Security

• #Studying Bluetooth Malware Propagation [PDF, EN]

  Appeared on "IEEE Security&Privacy" March/April 2007. Current Bluetooth worms pose relatively little danger compared to Internet scanning worms but things might change soon. We show targeted attacks through Bluetooth malware using proof-of-concept codes and devices that demonstrate their feasibility.

• #Bluetooth Malware [PDF, IT]

  Article appeared on Hakin9 Magazine (04/2007).

• #Going around with Bluetooth in full safety [PDF, EN]

  Final report of the first Italian Bluetooth devices survey made by me and colleagues at Secure Network, in collaboration with F-Secure. It was the first step of the BlueBag project.

• #Bluetooth Security: attack and defense techniques [WWW, IT]

  Introduction of Bluetooth security, vulnerabilities and known issues - part two.

• #Security in the Bluetooth communications [WWW, IT]

  Introduction of Bluetooth security, vulnerabilities and known issues - part one.

• #How to extend the range of your BT dongle [PDF, IT]

  How to modify a Bluetooth dongle in order to extend the range, spending 14 euro.

Miscellaneous

• #(In)Security Summer [WWW, IT]

  My reportage of the Black Hat and Defcon experience in August, 2006.

• #Authorship analysis, a fuzzy approach [PDF, IT]

  A scientific article that shows the possibility to use fuzzy logic in order to discover authorship abuses during computer forensic cases.

• #The Hacker Ethic: hands on! [PDF, IT]

  A short book that tells you the story and the glory of the hacker community, from the first American hackers generation to the Italian way to hack.

• #Program Slicing [PDF, IT]

  A scientific article that shows a quite interesting methodology of the modern software engineering. A slice consists of all program statements that affect the value at a point of interest inside the source code.

• #Behind the scenes of the CTF 2005 [PNG, IT]

  Article appeared on Internet.Pro magazine (September, 2005) about the Academic Capture The Flag competition. For further information, look at: CTF 2004 and CTF 2005.

• #"Spaghetti hacker" for a night [PDF, IT]

  Our hackish night during the university CTF 2005 competition.

• #Distributed computing and protein folding [WWW, IT]

  Article published on the "Open.Source" magazine about grid computing and the Folding@Home project. It's just available for magazine readers on number 10 July/August, 2004.

• #Apple RendezVous (now called "Bonjour") [PDF, IT]

  Back to 2004, a technical overview of the open source ZeroConf technology widely spreads into Apple's products.

[0x05] Code

#Directory Traversal Fuzzing Code - v0.2

A quite huge attack vectors list in order to trigger path traversal vulnerabilities.

Download here: dirTraversal.txt

#BlueBag (Public Code Release) - v0.1
(Online after a long while!)

From May 2006 to May 2007, my friend Claudio and I developed several scripts useful to implement Bluetooth scanners, honeypots, obex pushers.

The BlueBag "Public Code Release" is not intended to be a complete software solution. It is just a colletion of Python scripts...

Download here: bluebag_v0.1.zip

MD5 sum: bluebag_v0.1.zip.md5sum

#Smart Security Grep (SSGrep) - v0.11

Smart Security Grep is a simple PHP CLI script useful to grep source code during code review or security assessments.

SSGrep uses a modular knowledge base with multilanguage support. The current version includes the following KBs: "Java/JSP dangerous method calls v0.1", "sensitive information v0.1" and "lamer developers v0.1". To extend the knowledge base, just add a ".kb" file into the "data" directory.

Here you can find an example of the HTML output. More information on the README file. Email me your suggestions and comments.

Download here: ssgrep0.11.zip

#JSP Reverse Shell

A simple JSP Reverse Shell (Linux version). It's a very handy script during penetration tests in J2EE environment.

Download here: revshell.jsp

#AppleMail2KMail converter

A PHP CLI script to convert Apple Mail mailboxes into Kmail format. It was developed during my Mac->Linux migration.

Download here: applemail2kmail.php

[0x06] Geek Buffet

Stuff for nerds and geeks

• #LovePicking? Locks on the Tiber island lovers bridge, Rome

BlueBag Stories

• #BlueBag Logo The official logo of the project (100x164 pixels)
• #Pic 1 An high resolution picture of the whole system
• #Pic 2 Night vision picture
• #Pic 3 From an artistic point of view
• #Video 1 "Building the BlueBag" (Quicktime file format)
• #Press 1 Slashdot. Article (EN).
• #Press 2 InfoWorld. Article (EN).
• #Press 6 PC World New Zealand. Front page (EN).
• #Press 7 CNET News. Article (EN).
• #Press 3 PC World Italia. Article (IT).
• #Press 4 Data Manager. Article (IT).
• #Press 5 Repubblica. Article (IT).
• #Press 8 Punto Informatico. Article (IT).
• #Press 9 Tgcom. Article (IT).
• #Press 10 Zeus News. Article (IT).
• #Press 11 Corriere della Sera. Article (IT).
• #Press 12 ICT Security. Interview (IT).