Monday, May 28, 2007

Reflection on Stefano Di Paola

This week on reflection we have Stefano Di Paola who caught everyone’s attention through his paper Subverting Ajax which talked about acrobat reader plugin vulnerability and javascript prototype exploit. Those of you who remember, there was a lot of commotion on WASC mailing list at the beginning of this year. Tons of emails going back and forth on a vulnerability which was identified in acrobat reader plugin and had the potential of infecting almost all the websites hosting PDF files (Universal XSS).

Stefano has released several advisories including the ones that are not publicly disclosed but patched. He has also contributed to OWASP testing guide and is a also a Research & Development Director of OWASP Italian Chapter. Today he shares with us how he started with web application security. In his own words

”When I was 9 or 10 years old, I began to hack my 45 rpm portable record player in order to control the angular speed and play with my childhood songs in a funnier way. Then I realized I didn't know how to remount my opened player, I asked my parents to buy me another one with the promise to not break it again. I kept that promise… or at least for a while. A couple of years later I decided to hack my tape recorder and I succeeded in mixing voice recording while playing music (my mother never knew I recorded my voice on her music tapes).

I started to practice with computer security when I bought a 486 in 1997; I was a student at the Computer Engineering Faculty at the University of Florence. The first thing I read about hacking was about reverse engineering and cracking shareware software protections. It was quite funny but when I managed to install my first linux 2.0 on my PC, the approach and the vision were going to change inside me. I had already worked on Sun Solaris and AIX at the University, but linux was my first Unix love. The research and the study about linux configurations tutorials brought me to Phrack and "Smashing the Stack for Fun and Profit" by Aleph1. The first time I applied all the theory I had learned was when I urgently needed root privileges on a SGI Workstation at the university while I was finishing my master degree thesis. As the sysadmin was sick I decided to get root by myself and accomplish my tasks. After a couple of days I warned the sysadmin about my privilege escalation and I told him how to fix the issue.

It was in 1999 the first time I stumbled upon and I was amazed by the quantity of information about hacking old style CGI web pages and search engines. Since large number of web servers where on *nix OS flavors at that time, my background on linux, Sun Solaris and AIX helped me a lot. I realized it was quite easy for me to find flaws on CGI scripts (most of all system execution vulnerabilities). As a consequence of my hacking research activity, I began to think about web application firewalls but since it was early days of web application security and no information on WAF was available on the net, so I gave up. But it was in the 2004 that I decided to work as web application security consultant and released my first public advisory.

I've been working as a freelance in Italy from 2000 to early 2007 then I founded MindedSecurity(an Application Security Company with the mission to build a Center of Excellence on Web Application Security in order to give high quality services).”

Based out of Florence, Italy, Stefano is 35 years old and works as a freelance ICT security consultant and software architect for several companies and public institutions in Italy. Below is a list of his contributions to the webappsec community.


Universal Cross Site Scripting (Internet Magazine - Italy)

The Owasp Testing Guide (Hackin9)

Several sections in the Owasp Testing Guide v 2.0

XML Injection

Xpath Injection

LDAP Injection

Mysql Injection

Ajax Testing


Research & Development Director of Owasp Italian Chapter.

Tools written by him:-

PassBroker - a php extension which dispatch secrets which are often embedded in clear inside php web pages (ie. sql username and password.)

HMAUTH - A Html form authentication using HMAC

Anti Tamper Module for Apache 2.0 - It is a tool which parses every outbound html page and add a sign to every static link and to cookies, in order to prevent malicious users from tampering GET parameters and cookies.

Rul-o-matic - a web agent for white list mod_security rules generation.

Company working for :-

Co-founder of Minded Security ( ).






Web Security By Example - SMAU (Italy)

Subverting Ajax - 23rd CCC (Germany)

Ajax Security - Infosecurity (Italy)

Testing Flash Applications - 6th Owasp AppSec Conference (Italy)

Lectures (University of Florence):-

Secure Software Development Life Cycle(2007) - Phd Course Faculty of Software Eng.

Web Developing Security(2005/2006) - Course of 'Databases', Faculty of Software Eng.


Php RFC1867 Arbitrary File Upload (10/2004)

Php shmop safemode bypass and write to arbitrary locations (10/2004)

MySQL Server CREATE FUNCTION libc arbitrary code execution (03/2005)

MySQL Server CREATE FUNCTION mysql.func table arbitrary library injection (03/2005)

MySQL Server insecure temporary File Creation (03/2005)

MySQL Server COM_TABLE_DUMP Information Leakage and Arbitrary command execution.(04/2006)

MySQL Server Anonymous Login Handshake Information Leakage. (04/2006)

Acrobat Reader Plugin Multiple Vulnerabilities (01/2007)

Php import_req_var globals overwrite Advisory (03/2007)

IE and Firefox Digest Authentication Request Splitting (04/2007)


Masters in Software Engineer (University of Florence)
Certified Lead Auditor ISO 27001.

Stefano had recently released a paper on Flash vulnerabilities in OWASP Europe conference and is also working on some new interesting research ideas. For all those who are in webappsec community should definitely keep an eye on him.

Last Week – Ryan Barnett
Next Week – Saumil Shah

No comments: