Giancarlo Pellegrino

System Security Research Group
CISPA, Saarland University
Campus, Building E9.1, Room 3.06
66123 Saarbrücken

Short bio:

I am currently aa research group leader at CISPA and I was selected for the CISPA-Stanford Center for Cybersecurity. Prior to that, I was a postdoctoral researcher in the System Security research group at CISPA, Saarland University, Germany. I hold a Ph.D. in computer network and security from Telecom ParisTech/EURECOM, France. During my doctoral studies, I was member of the S3 group at EURECOM in Sophia-Antipolis (France) under the supervision of the Assistant Professor Davide Balzarotti. Until August 2013, I worked as Researcher Associate in the "Security and Trust" group at the SAP research laboratories in Sophia-Antipolis and Karlsruhe.

Research interests:

My main research interests include, but are not limited to, all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. My research led to the discovery of a number of serious vulnerabilities in popular web applications, Web core services, and on web-based security protocols (See SAML SSO Specs Errata).

Selected publications

A complete list is available here

  • Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
    G. Pellegrino, M. Johns, S. Koch, M. Backes, C. Rossow
    24th ACM Conference on Computer and Communications Security, 2017 (CCS 2017)
    [pdf][slides (soon)][tool/src]
  • Who Controls the Internet? Analyzing Global Threats using Property Graph Traversals
    M. Simeonovski, G. Pellegrino, C. Rossow, M. Backes
    (to appear) 26th International World Wide Web Conference, 2017 (WWW 2017)
    [pdf][slides (soon)]
  • Uses and Abuses of Server-Side Requests
    G. Pellegrino, O. Catakoglu, D. Balzarotti, C. Rossow
    19th Research in Attacks, Intrusions and Defenses (RAID) Symposium (RAID 2016)
  • Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
    B. Stock, G. Pellegrino, C. Rossow, M. Johns, M. Backes
    (to appear) 25th USENIX Security Symposium (USENIX Security 16)
  • jAEk: Using Dynamic Analysis to Crawl and Test Modern Web Applications
    G. Pellegrino, C. Tschuertz, E. Bodden, C. Rossow
    18th Research in Attacks, Intrusions and Defenses (RAID) Symposium (RAID 2015)
  • In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services
    G. Pellegrino, D. Balzarotti, S. Winter, N. Suri
    24th USENIX Security Symposium (USENIX Security 15)
    [pdf][slides][lightning talk video]
  • Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics
    G. Pellegrino, C. Rossow, F. J. Ryba, T. C. Schmidt, M. Waehlisch
    9th USENIX Workshop on Offensive Technologies (WOOT 15)
  • Toward Black-Box Detection of Logic Flaws in Web Applications
    G. Pellegrino, D. Balzarotti
    Network and Distributed System Security symposium 2014 (NDSS2014), San Diego, USA, February 23-25, 2014


Presentations and Talks

Professional activities

Vulnerability Discovery and Disclosure

A complete list is available here