Date

  • 2017

About

In July 2017 I conducted a secure code review and produced a vulnerability assessment report for the Privacy Badger team, while volunteering for the EFF.

The Project

Privacy Badger is a browser add-on from the Electronic Frontier Foundation (EFF) that stops advertisers and other third-party trackers by blocking racking cookies that do not respect the "Do Not Track" setting in a user's web browser. Privacy Badger also uses a heuristic algorithm for deciding dinamically whether a third-party is tracking the user or not. In April 2017, the EFF announced that Privacy Badger had surpassed one million users.

Date

  • 2017

About

In collaboration with Under Security Group s.r.l. and Tervis s.r.l, I designed and coded an high availability and hardened web application acting as a C&C server, used by the surveillance centers to monitor the antitheft solutions status updates in real time and to act accordingly.

The Project

The specifications required a solution to prevent the surging use of mobile phone jammers: by constantly polling a specific API, we routinely check for the online status of the antitheft devices. If this check fails, the owner is alerted by phone call, SMS or email.

Date

  • 2016-now

About

JBZ is one of the few high-ranking Italian CTF teams, which gathers security-minded people from Italy. Members are students, professionals, academic researchers and infosec enthusiasts.

"Capture the Flag (CTF) is a special kind of information security competitions. CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engineering, web or mobile security and others. Good teams generally have strong skills and experience in all these issues."

The Team

Initially in 2014, me and Th3Zer0 founded the P=NP team of the University of Milan, the first academic CTF team of the "Computer Systems and Networks Security" course, ever. Then in 2016 we founded JBZ with others from the KNX community.

Date

  • 2016

About

I created the `detect_antivirus`​ module for the Browser Exploitation Framework Project (BeEF) to passively detect potential antiviruses installed on a target machine. Currently it supports Kaspersky, Avira, Avast (ASW), BitDefender, Nortona, and Dr. Web.

The Project

Nowadays, many antivirus software come with a browser extension bundled, or even whole custom browsers. By analyzing the user agent, the CSS classes or the JS injected, we can determine the AV solution installed by the user and even its version in some cases.

About

jsClean is an unpacker/deobfuscator for Javascript sources. This Node.js script combines several deobfuscation techniques, even relocating the strings array in the input source (a common obfuscation) to improve the readability for reverse engineering purposes.

The Project

While analyzing a compromised website source, I stumbled upon some sketchy obfuscated Javascript. The most common unpackers (matthewfl's, dean.edwards, jsunpack) couldn't relocate the strings array in the input source, so I wrote a script to do that after formatting it with js-beautify.

Date

  • 2015

About

The Open Source Security Hub (OSSH) idea came up after the local OWASP chapter raised the need for a system aiming at bringing together security experts and projects in need. I quickly realized I could help out by building it as a project for my mobile- and web-programming course at the university. Taking the example of many platforms focused on crowdsourced security (Bugcrowd, HackerOne, Crowdcurity, Synack) I opted to develop a framework to make the process simple and intuitive.

The Project

You can find more details about OSSH in the project page. Currently the project is on hold.