Monday, May 28, 2007

Reflection on Stefano Di Paola



This week on reflection we have Stefano Di Paola who caught everyone’s attention through his paper Subverting Ajax which talked about acrobat reader plugin vulnerability and javascript prototype exploit. Those of you who remember, there was a lot of commotion on WASC mailing list at the beginning of this year. Tons of emails going back and forth on a vulnerability which was identified in acrobat reader plugin and had the potential of infecting almost all the websites hosting PDF files (Universal XSS).

Stefano has released several advisories including the ones that are not publicly disclosed but patched. He has also contributed to OWASP testing guide and is a also a Research & Development Director of OWASP Italian Chapter. Today he shares with us how he started with web application security. In his own words


”When I was 9 or 10 years old, I began to hack my 45 rpm portable record player in order to control the angular speed and play with my childhood songs in a funnier way. Then I realized I didn't know how to remount my opened player, I asked my parents to buy me another one with the promise to not break it again. I kept that promise… or at least for a while. A couple of years later I decided to hack my tape recorder and I succeeded in mixing voice recording while playing music (my mother never knew I recorded my voice on her music tapes).

I started to practice with computer security when I bought a 486 in 1997; I was a student at the Computer Engineering Faculty at the University of Florence. The first thing I read about hacking was about reverse engineering and cracking shareware software protections. It was quite funny but when I managed to install my first linux 2.0 on my PC, the approach and the vision were going to change inside me. I had already worked on Sun Solaris and AIX at the University, but linux was my first Unix love. The research and the study about linux configurations tutorials brought me to Phrack and "Smashing the Stack for Fun and Profit" by Aleph1. The first time I applied all the theory I had learned was when I urgently needed root privileges on a SGI Workstation at the university while I was finishing my master degree thesis. As the sysadmin was sick I decided to get root by myself and accomplish my tasks. After a couple of days I warned the sysadmin about my privilege escalation and I told him how to fix the issue.

It was in 1999 the first time I stumbled upon http://www.fravia.org/ and I was amazed by the quantity of information about hacking old style CGI web pages and search engines. Since large number of web servers where on *nix OS flavors at that time, my background on linux, Sun Solaris and AIX helped me a lot. I realized it was quite easy for me to find flaws on CGI scripts (most of all system execution vulnerabilities). As a consequence of my hacking research activity, I began to think about web application firewalls but since it was early days of web application security and no information on WAF was available on the net, so I gave up. But it was in the 2004 that I decided to work as web application security consultant and released my first public advisory.

I've been working as a freelance in Italy from 2000 to early 2007 then I founded MindedSecurity(an Application Security Company with the mission to build a Center of Excellence on Web Application Security in order to give high quality services).”



Based out of Florence, Italy, Stefano is 35 years old and works as a freelance ICT security consultant and software architect for several companies and public institutions in Italy. Below is a list of his contributions to the webappsec community.



Articles:-

Universal Cross Site Scripting (Internet Magazine - Italy)
http://www.edmaster.it/?job=arretrati&id=3&op=sommario&num=113

The Owasp Testing Guide (Hackin9)
http://hakin9.org/

Several sections in the Owasp Testing Guide v 2.0

XML Injection
http://www.owasp.org/index.php/Testing_for_XML_Injection

Xpath Injection
http://www.owasp.org/index.php/Testing_for_XPath_Injection

LDAP Injection
http://www.owasp.org/index.php/Testing_for_LDAP_Injection

Mysql Injection
http://www.owasp.org/index.php/Testing_for_MySQL

Ajax Testing
http://www.owasp.org/index.php/Testing_for_AJAX


Memberships:--

Research & Development Director of Owasp Italian Chapter.


Tools written by him:-

PassBroker - a php extension which dispatch secrets which are often embedded in clear inside php web pages (ie. sql username and password.)
http://www.wisec.it/projects.php?id=2

HMAUTH - A Html form authentication using HMAC
http://www.wisec.it/projects.php?id=1

Anti Tamper Module for Apache 2.0 - It is a tool which parses every outbound html page and add a sign to every static link and to cookies, in order to prevent malicious users from tampering GET parameters and cookies.
http://www.wisec.it/projects.php?id=3

Rul-o-matic - a web agent for white list mod_security rules generation.
http://www.wisec.it/sectou.php?id=438064b3e5ea4
http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz


Company working for :-

Co-founder of Minded Security ( http://www.mindedsecurity.com/ ).


Email:-

stefano.dipaola_at_mindedsecurity_dot_com
stefano.dipaola_at_wisec_dot_it


Blog:-

http://www.wisec.it/


Website:-

http://www.wisec.it/
http://www.midedsecurity.com/


Conferences:-

Web Security By Example - SMAU (Italy)
http://www.webb.it/event/eventview/4476/

Subverting Ajax - 23rd CCC (Germany)
http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf

Ajax Security - Infosecurity (Italy)
http://www.sikurezza.org/wiki/Risorse/I07FedonDiPaola

Testing Flash Applications - 6th Owasp AppSec Conference (Italy)
http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt


Lectures (University of Florence):-

Secure Software Development Life Cycle(2007) - Phd Course Faculty of Software Eng.

Web Developing Security(2005/2006) - Course of 'Databases', Faculty of Software Eng.


Advisories:-

Php RFC1867 Arbitrary File Upload (10/2004)
http://www.wisec.it/vulns.php

Php shmop safemode bypass and write to arbitrary locations (10/2004)
http://www.wisec.it/vulns.php

MySQL Server CREATE FUNCTION libc arbitrary code execution (03/2005)
http://www.wisec.it/vulns.php

MySQL Server CREATE FUNCTION mysql.func table arbitrary library injection (03/2005)
http://www.wisec.it/vulns.php

MySQL Server insecure temporary File Creation (03/2005)
http://www.wisec.it/vulns.php

MySQL Server COM_TABLE_DUMP Information Leakage and Arbitrary command execution.(04/2006)
http://www.wisec.it/vulns.php?page=8

MySQL Server Anonymous Login Handshake Information Leakage. (04/2006)
http://www.wisec.it/vulns.php?page=7

Acrobat Reader Plugin Multiple Vulnerabilities (01/2007)
http://www.wisec.it/vulns.php?page=9

Php import_req_var globals overwrite Advisory (03/2007)
http://www.wisec.it/vulns.php?id=10

IE and Firefox Digest Authentication Request Splitting (04/2007)
http://www.wisec.it/vulns.php?id=11


Education:-

Masters in Software Engineer (University of Florence)
Certified Lead Auditor ISO 27001.


Stefano had recently released a paper on Flash vulnerabilities in OWASP Europe conference and is also working on some new interesting research ideas. For all those who are in webappsec community should definitely keep an eye on him.


Last Week – Ryan Barnett
Next Week – Saumil Shah

No comments: