Luca Carettoni

During the Black Hat Briefings 2017, Doyensec’s co-founder Luca Carettoni presented a new research on Electron (https://electronjs.org/) security. We were the first company to release a comprehensive security study of the popular desktop applications framework. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise any Electron-based application. In particular, we discussed a bypass that would allow… Visualizza altro

During the Black Hat Briefings 2017, Doyensec’s co-founder Luca Carettoni presented a new research on Electron (https://electronjs.org/) security. We were the first company to release a comprehensive security study of the popular desktop applications framework. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise any Electron-based application. In particular, we discussed a bypass that would allow reliable Remote Code Execution (RCE) when rendering untrusted content (for example via Cross-Site Scripting) even with framework-level protections in place. See https://blog.doyensec.com/2017/08/03/electron-framework-security.html and https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf for more details Meno dettagli

Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. In the wake of recent security advisories, I've created a library that can be used to protect J2EE applications. SerialKiller is an easy-to-use look-ahead Java deserialization library; it inspects Java classes during naming resolution and allows a combination… Visualizza altro

Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. In the wake of recent security advisories, I've created a library that can be used to protect J2EE applications. SerialKiller is an easy-to-use look-ahead Java deserialization library; it inspects Java classes during naming resolution and allows a combination of blacklisting/whitelisting to secure applications. Meno dettagli

ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461. It is implemented in Java, and can be used as stand-alone software or Burp Pro passive scanner plugin. Thanks to this tool, me and Mauro Gentile were able to conduct a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this Same Origin Policy bypass.

Together with Stefano Di Paola, we presented a new class of vulnerabilities named HTTP Parameter Pollution (HPP). Supplying multiple occurences of the same HTTP parameter may cause an application to interpret values in unanticipated ways, leading to numerous critical flaws. This research was awarded 2nd in the Top Ten Web Hacking Techniques of 2009.

During the last two years at the university, I worked on a pioneeristic static analysis methodology for J2EE applications. The results were implemented in an Eclipse plugin, named Java.String Eclipse Checker (JSEC) to detect software vulnerabilities (XSS, SQL Injection) in Java web applications.

Blazer is a custom AMF messages generator with fuzzing capabilities, developed as Burp Suite plugin. It is designed and implemented to make AMF testing easy, and yet allows researchers to control fully the entire security testing process.

From May 2006 to May 2007, together with a former colleague, we developed a covert bluetooth attack and infection device: the BlueBag. Hidden in a traditional (blue) suitcase, a relatively complex mix of hardware and software made it possible to study weaknesses and potential attacks against bluetooth-enabled devices.