“Working with Luca was among the best experiences in my career I've had so far. Luca has profound knowledge of his field. He is focused, excellent at managing a project, planning work, dealing with blockers, and what's more important he is reliable. Luca works fast but also understands the process. He is very thoughtful and working with him is like running a marathon, well prepared, steady towards the goal. Luca is a person whom you can trust, whos work is always on a very high standard, and what's more important he will deliver, and make sure that he meet customers expectations. I cannot recommend him enough. ”
Luca Carettoni
Borgo Maggiore, San Marino
3555 follower
Oltre 500 collegamenti
Informazioni
I am a software security engineer turned into entrepreneur.
I like to experiment…
Attività
-
Il moca2024 è iniziato e si sta rivelando il moca fantastico che avevamo promesso 💜 Tra un talk e l'altro (ricorda che su hackertracker trovi il…
Il moca2024 è iniziato e si sta rivelando il moca fantastico che avevamo promesso 💜 Tra un talk e l'altro (ricorda che su hackertracker trovi il…
Consigliato da Luca Carettoni
-
Am invited to speak at RSTCON in Savannah/GA this Friday. Topic will be about my "low tech" CVE discovery experience in software like Node.js and…
Am invited to speak at RSTCON in Savannah/GA this Friday. Topic will be about my "low tech" CVE discovery experience in software like Node.js and…
Consigliato da Luca Carettoni
-
📢📢 Breaking 📢📢 Pedro Ribeiro and Radek Domanski decided to release 🚀 two more tickets 🚀 for the training “Hunting Zero-Days In Embedded…
📢📢 Breaking 📢📢 Pedro Ribeiro and Radek Domanski decided to release 🚀 two more tickets 🚀 for the training “Hunting Zero-Days In Embedded…
Consigliato da Luca Carettoni
Esperienza
Progetti
-
A Study of Electron Security
- Presente
During the Black Hat Briefings 2017, Doyensec’s co-founder Luca Carettoni presented a new research on Electron (https://electronjs.org/) security. We were the first company to release a comprehensive security study of the popular desktop applications framework. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise any Electron-based application. In particular, we discussed a bypass that would allow…
During the Black Hat Briefings 2017, Doyensec’s co-founder Luca Carettoni presented a new research on Electron (https://electronjs.org/) security. We were the first company to release a comprehensive security study of the popular desktop applications framework. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise any Electron-based application. In particular, we discussed a bypass that would allow reliable Remote Code Execution (RCE) when rendering untrusted content (for example via Cross-Site Scripting) even with framework-level protections in place. See https://blog.doyensec.com/2017/08/03/electron-framework-security.html and https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf for more details
-
SerialKiller
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. In the wake of recent security advisories, I've created a library that can be used to protect J2EE applications. SerialKiller is an easy-to-use look-ahead Java deserialization library; it inspects Java classes during naming resolution and allows a combination…
Java deserialization vulnerabilities have recently gained popularity due to a renewed interest from the security community. Despite being publicly discussed for several years, a significant number of Java based products are still affected. In the wake of recent security advisories, I've created a library that can be used to protect J2EE applications. SerialKiller is an easy-to-use look-ahead Java deserialization library; it inspects Java classes during naming resolution and allows a combination of blacklisting/whitelisting to secure applications.
-
ParrotNG and Flash's Same Origin Policy bypass
ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461. It is implemented in Java, and can be used as stand-alone software or Burp Pro passive scanner plugin. Thanks to this tool, me and Mauro Gentile were able to conduct a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this Same Origin Policy bypass.
Altri creatoriVedi progetto -
HTTP Parameter Pollution (HPP)
Together with Stefano Di Paola, we presented a new class of vulnerabilities named HTTP Parameter Pollution (HPP). Supplying multiple occurences of the same HTTP parameter may cause an application to interpret values in unanticipated ways, leading to numerous critical flaws. This research was awarded 2nd in the Top Ten Web Hacking Techniques of 2009.
Altri creatori -
Java.String Eclipse Checker (JSEC)
During the last two years at the university, I worked on a pioneeristic static analysis methodology for J2EE applications. The results were implemented in an Eclipse plugin, named Java.String Eclipse Checker (JSEC) to detect software vulnerabilities (XSS, SQL Injection) in Java web applications.
-
Blazer - AMF Testing Made Easy!
-
Blazer is a custom AMF messages generator with fuzzing capabilities, developed as Burp Suite plugin. It is designed and implemented to make AMF testing easy, and yet allows researchers to control fully the entire security testing process.
-
BlueBag
-
From May 2006 to May 2007, together with a former colleague, we developed a covert bluetooth attack and infection device: the BlueBag. Hidden in a traditional (blue) suitcase, a relatively complex mix of hardware and software made it possible to study weaknesses and potential attacks against bluetooth-enabled devices.
Altri creatori
Lingue
-
English
Conoscenza professionale completa
-
Italian
Conoscenza madrelingua o bilingue
-
Polish
Conoscenza base
Referenze ricevute
5 persone hanno scritto una referenza per Luca
Iscriviti ora per vedereAltre attività di Luca
-
Last week, I had the pleasure to sit down with Patrick Gray and talk about what we've been up to at SlashID. Identity is the most important topic to…
Last week, I had the pleasure to sit down with Patrick Gray and talk about what we've been up to at SlashID. Identity is the most important topic to…
Consigliato da Luca Carettoni
Altri profili simili
Altre persone che si chiamano Luca Carettoni
-
LUCA CARETTONI
Responsabile della logistica presso BONOMI EUGENIO SPA
-
Luca Carettoni
Tecnico informatico presso Lutech
-
Luca Carettoni
Helpdesk technician presso Edoss Consulenze
Su LinkedIn ci sono altre 3 persone che si chiamano Luca Carettoni
Vedi altre persone che si chiamano Luca Carettoni