Giancarlo Pellegrino

System Security Research Group
CISPA, Saarland University
Campus, Building E9.1, Room 3.06
66123 Saarbrücken

Short bio:

I am currently a postdoc in the System Security research group at CISPA, Saarland University, Germany. I hold a Ph.D. in computer network and security from Telecom ParisTech/EURECOM, France. During my doctoral studies, I was member of the S3 group at EURECOM in Sophia-Antipolis (France) under the supervision of the Assistant Professor Davide Balzarotti. Until August 2013, I worked as Researcher Associate in the "Security and Trust" group at the SAP research laboratories in Sophia-Antipolis and Karlsruhe.

Research interests:

My main research interests include, but are not limited to, all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. My research led to the discovery of a number of serious vulnerabilities in popular web applications, Web core services, and on web-based security protocols (See SAML SSO Specs Errata).

Selected publications

A complete list is available here

  • Uses and Abuses of Server-Side Requests
    G. Pellegrino, O. Catakoglu, D. Balzarotti, C. Rossow
    19th Research in Attacks, Intrusions and Defenses (RAID) Symposium (RAID 2016)
    [pdf][slides (soon)][tool/src (soon)]
  • Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
    B. Stock, G. Pellegrino, C. Rossow, M. Johns, M. Backes
    (to appear) 25th USENIX Security Symposium (USENIX Security 16)
  • jAEk: Using Dynamic Analysis to Crawl and Test Modern Web Applications
    G. Pellegrino, C. Tschuertz, E. Bodden, C. Rossow
    18th Research in Attacks, Intrusions and Defenses (RAID) Symposium (RAID 2015)
  • In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services
    G. Pellegrino, D. Balzarotti, S. Winter, N. Suri
    24th USENIX Security Symposium (USENIX Security 15)
    [pdf][slides][lightning talk video]
  • Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics
    G. Pellegrino, C. Rossow, F. J. Ryba, T. C. Schmidt, M. Waehlisch
    9th USENIX Workshop on Offensive Technologies (WOOT 15)
  • Toward Black-Box Detection of Logic Flaws in Web Applications
    G. Pellegrino, D. Balzarotti
    Network and Distributed System Security symposium 2014 (NDSS2014), San Diego, USA, February 23-25, 2014
  • An Authentication Flaw in Browser-based Single Sign-On Protocols: Impact and Remediations
    A. Armando, R. Carbone, L. Compagna, J. Cuéllar, G. Pellegrino, A. Sorniotti
    Computers & Security, 2013
  • A Tool for Supporting Developers in Analyzing the Security of Web-based Security Protocols
    G. Pellegrino, L. Compagna, T. Moreggia
    25th IFIP International Conference on Testing Software and Systems (ICTSS'13), Istanbul, Turkey, November 13-15, 2013
  • From Model-checking to Automated Testing of Security Protocols: Bridging the Gap
    A. Armando, G. Pellegrino, R. Carbone, A. Merlo, D. Balzarotti
    6th International Conference on Tests & Proofs (TAP 2012), Prague (Czech Republic), May 31 - June 1, 2012


Presentations and Talks

Professional activities

Vulnerability Discovery and Disclosure

A complete list is available here