Code. Software and scripts.

  • For Doyensec, I've prepared the material for a class titled Developing Burp Suite Extensions. In this hands-on class, attendees learn how to design and develop Burp Suite extensions for a variety of tasks. In a few hours, we work on several plugins to improve manual security testing efforts as well as to create fully-automated security tools. This workshop is based on real-life use cases where the extension capabilities of the tool can be unleashed to improve efficiency and effectiveness of security auditing. All code/exercises are available for free on Doyensec's Github Repo.
  • Bradamsa - is a Burp Suite extension for Radamsa, a well-known fuzzer made by the Oulu University Secure Programming Group. This plugin allows to generate Intruder payloads using Radamsa.
  • After the public disclosure of a critical vulnerability in Ubiquiti Networks mFi, I developed mFiPatchMe - Using this unofficial security patch tool, it is possible to modify the mFi controller service, and fix the security bypass discovered in the authentication mechanism of this software. Since it appears that the product line has been discontinued, mFiPatchMe may be the only patch available to mFi users.
  • Burp Suite used to have anti-debugging techniques, which increase the complexity of debugging custom extensions. For this reason, I developed a small utility to patch your own copy of Burp Free and allow debugging in NetBeans, Eclipse, etc. BurpPatchMe can be downloaded here. For more details on the technical implementation, please refer to the anti-debugging techniques and Burp Suite blog post.

Papers. From articles to whitepapers.

  • Instant Burp Suite Starter. A practical hands-on guide to get started with Burp Suite. Aimed at beginners, this book will teach everything you need to know to get started with testing your first application using the powerful toolkit provided by Burp Suite Free (Packt Publishing, 70 pages, ISBN-10 1849695180).
  • In Using Dharma to rediscover Node.js out-of-band write in utf8 decoder, I used a real-life vulnerability that had almost no public information available to describe how to use Mozilla's Dharma for vulnerability discovery.
  • Since 2006, I've contributed as co-author to the OWASP Testing Guide, the most well known web application penetration testing methodology. The latest version is available for download here.
  • MS Access SQL Injection Cheat Sheet is a technical reference to illustrate SQL injection exploitation techniques when Microsoft Access is used as datastore.
  • The Hackers Ethic. Hands On Imperative. A short book that tells the story and the glory of the hacker community, from the first American hackers generation to the Italian scene. This short book was a written assignment during a class at the Politecnico di Milano university. Available in Italian only.
  • "Spaghetti hacker" for a night. A diary entry on my experience during one of the first Academic Capture The Flag competitions (iCTF 2005). Available in Italian only.
  • Authorship analysis using fuzzy-logic. A scientific paper that explores the possibility to apply fuzzy-logic in order to discover authorship abuses during computer forensic cases and source code attribution. Available in Italian only.

Presentations. Slides and other materials used during conferences.

  • During OWASP AppSec USA 2015, together with Mukul Khullar, I delivered a lightning training on Mod Security. Mainly targeted at beginners, the training illustrates how to install, configure and protect web applications using ModSecurity. Students can learn the basics, starting from configuring the WAF in detection mode using the OWASP ModSecurity Core Rule Set to writing custom rules. Both slides and the full lab environment (VirtualBox VM, MD5 6f838d64b5946a6e7c6d7e0a25653465) are available for download.
  • From design to implementation, numerous open-source solutions can be used to build a solid security roadmap. Especially in startups, collaboration is a fertile ground. Encouraging open-source participation creates opportunities for developers and the security community to build better software. In Leverage OpenSource to improve your security, I shared a few lessons learned on startup security, secure software development and the power of open-source. A list of resources cited in the talk is also available.
  • From CVE-2010-0738 to the recent JBoss worm. An overview of JBoss security issues, including the recent worm outbreak targeting CVE-2010-0738. This presentation introduces an improved exploitation technique against JBoss' JMXInvokerServlet, as demonstrated by this proof-of-concept.
  • Tomcat Vulnerabilities. The evolution of the species. Apache Tomcat is one of the most popular implementations of the Java Servlet and Java Server Pages technologies. Despite being widely deployed, several vulnerabilities have been discovered over the past years. In this talk, I analyzed old vulnerabilities and discussed trends and potential new attack vectors.
  • Bluetooth Security. A presentation on Bluetooth's core stack, security mechanisms and attacks. Available in Italian only.
  • Ekahau Position Engine. An introductory analysis of Ekahau, a software solution aimed at building positioning systems using mobile devices and WiFi technology.