Andrea Valenza

Security Engineer @ Prima Assicurazioni, PhD
Confused Travolta

Simulating Negative Lookaheads in non-PCRE Engines

Negative lookaheads (and lookaround constructs in general) are an awesome feature in PCRE. For example, to match all instances of abc, but only those that are NOT followed by def, you can use the following regex: abc(?!def) However, some modern regex engines do not support lookaround constructs due to performance concerns. This is the case for the default regex engines in Go and Rust (for example, GitHub uses Rust, and so do its search features)....

March 23, 2023
"_Clever girl!_" - Robert Muldoon

Attacking the Attackers

The predator becomes the prey. When scanning with Metasploit Pro, your victim can counter with a XSS payload, and even take over your machine. Never trust your victim! UPDATE: our paper “Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners” has been accepted at RAID 2020! Check out the full paper here. Metasploit Pro - XSS to RCE We see the targets of our scan as passive entities, and this leads to underestimating the risk of performing a network scan....

May 21, 2020

Fileless cURL to Chromium

Sometimes (expecially during CTFs) I need to display the result of a REALLY specific HTTP request that I made with cURL into Chromium. The naive and boring way of doing this would be something like this: curl -s https://avalz.it > /tmp/page.html chromium /tmp/page.html rm /tmp/page.html For some reason, I got stubborn on not creating that temporary file, which led to the mess you can see below. TL;DR curl -s URL | base64 -w 0 | xargs -i chromium "data:text/html;base64,{}" Breakdown The biggest issue is that chromium can’t open files from stdin, but only from URLs passed as argument....

March 8, 2019

Automatically trigger commands on source change

Sometimes, you need to write a source file and “compile” (as in “run a generic script on it”) each time you edit it, just to see the final result. On Ubuntu, you can use the inotifywait command to keep an eye on filesystem operations. sudo apt install inotify-tools You can create a simple bash file such as this: #!/bin/sh inotifywait -m . -e modify | while read path action file; do # Do something....

February 14, 2018

Security Challenges

a.k.a. “How the sausage gets made” Cyber security is being widely accepted by companies around the world as a mean for defending their precious data and try to find the best cyber security experts on the market. But HR often turns a blind eye on how security experts become good security experts: can you imagine a cop who’s not able to put himself in a thief’s shoes? Good security experts usually have a deep understanding on how an attack is carried out and they often have to try and attack their own systems to check for vulnerabilities....

February 3, 2017

Building pretty slides using Markdown and pandoc

Slides can be hard: you have to focus on content, then you have to make it pretty, add animations and stuff. If you are like me, you hate using your mouse (except for games), you have a horrible taste in design and you just want to write content and have it styled omakase. You probably use Beamer for slides, or something similar, but results may vary (see below). Then again, if you are like me, you probably like your Beamer default theme just fine, and that’s cool and everything, but other people might actually have some kind of taste and we (unfortunately) have to respect that when building our slides....

February 1, 2017

Debunking the mysql_real_escape_string myth

Are you sure that mysql_real_escape_string is enough to sanitize your input? (Spoiler: it’s not) From PHP Manual: string mysqli_real_escape_string ( mysqli $link , string $escapestr ) link Procedural style only: A link identifier returned by mysqli_connect() or mysqli_init() escapestr The string to be escaped. Characters encoded are NUL (0x00), \n, \r, \, ’, ", and SUB (Ctrl-Z or 0x1A) Despite what many believe, mysql_real_escape_string does not encode all MySQL special characters; it only encodes characters that may terminate a string....

June 23, 2016