Giancarlo Pellegrino

353 Serra Mall, Room 495
Stanford, CA 94305

Short bio:

I am currently research group leader at CISPA and visiting scholar at the Stanford University. Prior to that, I was a postdoctoral researcher in the System Security research group at CISPA, Saarland University, Germany. I hold a Ph.D. in computer network and security from Telecom ParisTech/EURECOM, France. During my doctoral studies, I was member of the S3 group at EURECOM in Sophia-Antipolis (France) under the supervision of the Assistant Professor Davide Balzarotti. Until August 2013, I worked as Researcher Associate in the "Security and Trust" group at the SAP research laboratories in Sophia-Antipolis and Karlsruhe.

Research interests:

My main research interests include, but are not limited to, all aspects of web application security in particular security testing (black and white-box) and vulnerability analysis. My research led to the discovery of a number of serious vulnerabilities in popular web applications, Web core services, and on web-based security protocols (See SAML SSO Specs Errata).

Selected publications

A complete list is available here

  • The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators
    M. Oltrogge, E. Derr, C. Stransky, S. Bugiel, G. Pellegrino, C. Rossow, S. Fahl, Y. Acar, M. Backes
    39th IEEE Symposium on Security and Privacy, 2018 (IEEESSP 2018)
    [pdf (soon)][slides (soon)]
  • Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications
    B. Stock, G. Pellegrino, F. Li., C. Rossow, M. Backes
    Network and Distributed System Security symposium, 2018 (NDSS) 2018)
    [pdf (soon)][slides (soon)]
  • Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
    G. Pellegrino, M. Johns, S. Koch, M. Backes, C. Rossow
    24th ACM Conference on Computer and Communications Security, 2017 (CCS 2017)
    [pdf][slides (soon)][tool/src]
  • Who Controls the Internet? Analyzing Global Threats using Property Graph Traversals
    M. Simeonovski, G. Pellegrino, C. Rossow, M. Backes
    (to appear) 26th International World Wide Web Conference, 2017 (WWW 2017)
    [pdf][slides (soon)]
  • Uses and Abuses of Server-Side Requests
    G. Pellegrino, O. Catakoglu, D. Balzarotti, C. Rossow
    19th Research in Attacks, Intrusions and Defenses (RAID) Symposium (RAID 2016)
  • Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
    B. Stock, G. Pellegrino, C. Rossow, M. Johns, M. Backes
    (to appear) 25th USENIX Security Symposium (USENIX Security 16)
  • jAEk: Using Dynamic Analysis to Crawl and Test Modern Web Applications
    G. Pellegrino, C. Tschuertz, E. Bodden, C. Rossow
    18th Research in Attacks, Intrusions and Defenses (RAID) Symposium (RAID 2015)
  • In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services
    G. Pellegrino, D. Balzarotti, S. Winter, N. Suri
    24th USENIX Security Symposium (USENIX Security 15)
    [pdf][slides][lightning talk video]
  • Toward Black-Box Detection of Logic Flaws in Web Applications
    G. Pellegrino, D. Balzarotti
    Network and Distributed System Security symposium 2014 (NDSS2014), San Diego, USA, February 23-25, 2014


Presentations and Talks

Professional activities

Vulnerability Discovery and Disclosure

A complete list is available here