SerialKiller

Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. In the wake of recent security advisories, I've created a library that can be used to protect J2EE applications. SerialKiller is an easy-to-use look-ahead Java deserialization library; it inspects Java classes during naming resolution and allows a combination of blacklisting/whitelisting to secure applications.

• Code: https://github.com/ikkisoft/SerialKiller
• Article: Fixing Java Serialization Bugs with SerialKiller
• Article: SK Tutorial
• Slides: Defending against Java Deserialization Vulnerabilities

Parrot NG

ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461. It is implemented in Java, and can be used as stand-alone software or Burp Pro passive scanner plugin. Thanks to this tool, me and Mauro Gentile were able to conduct a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this Same Origin Policy bypass.

• Code: https://github.com/ikkisoft/ParrotNG
• Slides: The old is new, again. CVE-2011-2461 is back! - Troopers 15
• Video: The old is new, again. CVE-2011-2461 is back! - Troopers 15
• Advisory: Adobe Flex ResourceModuleURLs Security Advisory (Yahoo!)
• More details on blog.nibblesec.org and blog.mindedsecurity.com

AMF Blazer

Blazer is a custom Flash AMF messages generator with fuzzing capabilities, developed as a Burp Suite plugin. Blazer implements a new testing approach, introduced at Black Hat USA 2012, that allows researchers to improve coverage during AMF testing. It is designed to make AMF testing easy, and yet allow full control over the entire security testing process.

• Code: https://github.com/ikkisoft/blazer
• Slides: AMF Testing Made Easy! - DeepSec 2012
• Slides: AMF Testing Made Easy! - BH USA 2012
• Whitepaper: AMF Testing Made Easy! - BH USA 2012
• Article: Effective AMF Remoting fuzzing
• Videos: AMF testing with Blazer - Part I, AMF testing with Blazer - Part II, AMF testing with Blazer - Part III

HTTP Parameter Pollution

In 2009, me and Stefano Di Paola presented a new class of vulnerabilities named HTTP Parameter Pollution (HPP) which affects both server and client components. Supplying multiple occurences of the same HTTP parameter may cause an application to interpret values in unexpected ways, leading to numerous critical flaws.

• Slides: HTTP Parameter Pollution - AppSec 2009
• Slides: HTTP Parameter Pollution - SEaCURE.it 2009
• Article: HTTP Parameter Pollution Vulnerabilities
• Article: Testing for HTTP Parameter pollution (OTG-INPVAL-004)
• More details on blog.nibblesec.org and blog.mindedsecurity.com
• This research was awarded 2nd in the Top Ten Web Hacking Techniques of 2009

BlueBag

From May 2006 to May 2007, together with Claudio Merloni, we developed a covert bluetooth attack and infection device: the BlueBag. Hidden in a traditional (blue) suitcase, a relatively complex mix of hardware and software made it possible to study weaknesses and possible attacks against bluetooth-enabled devices.

• Whitepaper: Studying Bluetooth Malware Propagation. Appeared on "IEEE Security&Privacy" March 2007
• Whitepaper: Going around with Bluetooth in full safety. First European Bluetooth devices security survey, in collaboration with F-Secure
• Slides: The BlueBag - BH USA 2006
• Slides: The BlueBag - Confidence 2007
• Article: Bluetooth Malware. Introduction to Bluetooth worms (Available in Italian only)
• Pictures: 1, 2, 3
• Video: Behind-The-Scenes
• Code: Public Code Release. Python scripts useful to implement Bluetooth scanners, honeypots, obex pushers, etc.

Java.String Eclipse Checker

During my last two years at the Politecnico of Milano university, I designed and implemented a pioneeristic static analysis methodology for J2EE applications. The core engine was implemented as an Eclipse plugin: Java.String Eclipse Checker (JSEC). The tool is capable of detecting software vulnerabilities (mainly XSS, SQL Injection) in modern Java web applications.

• Slides: String Analysis for the Detection of Web Application Flaws - ISSE 2007
• Video: Demo - ISSE 2007
• Slides: String Analysis for the Detection of Web Application Flaws - Confidence 2007
• Thesis: Computer Engineering M.S. thesis at the Politecnico di Milano (Available in Italian only)