About Me

I am Gaetano Perrone, a compiuter science passionate about software development, cybersecurity, and research.

💻 Development skills

I really love developing software, and I usually realize security tools for my work and researches. I have developed Docker Security Playground, a microservices-based framework for the study of Network Security and Penetration Test techniques.

Known programming languages:

• Python

  • Poetry
  • Typer
  • Flask
  • Django

• JavaScript (NodeJS for back-end)

  • NodeJS
  • Express
  • React
  • Angular

• Java

• C, C++

• Golang

• Ruby

Open-source projects

• DockerSecurityPlayground: Docker Security Playground is an application that allows you to manage and create intentionally virtualized container-based environments. Based on AngularJS and NodeJS.

• docker-js: A nodeJS CLI library to manage Docker containers and images.

• HOUDINI: a curated list of Network Security related Docker Images for Network Intrusion purposes. Front-end developed in React and Tailwind.

• python-cherrytree-generator: Cherry-tree is a wonderful tool used to take notes. It is commonly used during Penetration Testing activities. This project is a simple Python API that creates DTD cherry tree files (basically, XML files). It can be useful to use cherrytree in automation steps.

Community Contributions

In my past I have contributed to several open-source projects:

• OWASP-benchmark:

  • https://github.com/OWASP-Benchmark/BenchmarkUtils/pull/35
  • https://github.com/OWASP-Benchmark/BenchmarkUtils/pull/36

• CodeQL:

  • https://github.com/github/codeql/pull/10408

• tldr:

  • https://github.com/tldr-pages/tldr/pull/4179
  • https://github.com/tldr-pages/tldr/pull/4171

• EyeWitness:

  • https://github.com/RedSiege/EyeWitness/pull/475/commits

• XSSMap:

  • https://github.com/secdec/xssmap/pull/9

• docker_burp:

  • https://github.com/marco-lancini/docker_burp/pull/1

• arc-electron:

  • https://github.com/advanced-rest-client/arc-electron/pull/132

• Serpico:

  • https://github.com/SerpicoProject/Serpico/pull/372
  • https://github.com/SerpicoProject/Serpico/pull/365

🔼 Back to top

🛡️ Cybersecurity Skills

During my career, I have performed several Penetration testing and secure code review for Italian telco and banking companies.

Security Certifications

• Certified Information Systems Security Professional (CISSP)
• Offensive Security Web Expert (OSWE)
• Offensive Security Certified Expert (OSCE)
• Offensive Security Certified Professional (OSCP)
• AWS Security Specialty

CVEs

• CVE-2021-25080: Contact Form Entries < 1.1.7 – Unauthenticated Stored Cross-Site Scripting (WordPress)
• CVE-2021-25079: Multiple Reflected XSS in contact form entries plugin (WordPress)

Developed exploits

• EDB-ID-49338: WordPress Core 5.2.2 – post previews XSS
• EDB-ID-49327: WordPress Epsilon Framework Multiple Themes – Unauthenticated Function Injection
• EDB-ID-49237: Jenkins 2.235.3 - ’Description’ Stored XSS
• EDB-ID-49232: tooltip Stored Cross-Site Scripting

🔼 Back to top

🔎 Research path

I am passionate in any area related to network security, cloud computing, and software development research. I have achieved a Ph.D. in Information Technology and Electrical Engineering (ITEE) in 2022 but continue to conduct research in fuzzing, knowledge graph, and reinforcement learning domains to automate, formalize and increase the effectiveness of security testing approaches. Below a list of research works developed in my career.

2024

• Dirclustering: a semantic clustering approach to optimize website structure discovery during penetration testing

• Sniping at web applications to discover input-handling vulnerabilities

2023

• Including insider threats into risk management through Bayesian threat graph networks

• A Software-Defined Approach for Mitigating Insider and External Threats via Moving Target Defense

• Container-based virtualization for Ethical Hacking with HOUDINI

2022

• An automated approach to Web Offensive Security

• ExploitWP2Docker: a Platform for Automating the Generation of Vulnerable WordPress Environments for Cyber Ranges

• ThePhish: an automated phishing email analysis tool

2021

• Discovering reflected cross-site scripting vulnerabilities using a multiobjective reinforcement learning environment

2020

• Capturing flags in a dynamically deployed microservices-based heterogeneous environment

• Hacking Goals: A Goal-Centric Attack Classification Framework

2017

• The Docker Security Playground: A hands-on approach to the study of network security

🔼 Back to top