Soheil Khodayari

2024

- The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web, 45th IEEE Symposium on Security and Privacy (S&P'24), CA, USA, May 20-23, 2024.

2023

- It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses, 44th IEEE Symposium on Security and Privacy (S&P'23), CA, USA, May 23-26, 2023.

2022

- The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies, 43rd IEEE Symposium on Security and Privacy (S&P'22), CA, USA, May 22-26, 2022.

2021

- Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks, 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'21), San Sebastian, Spain, October 6-8, 2021.

- JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals, 30th USENIX Security Symposium (USENIX Security'21), Virtual Event, August 2021.

2020

- Cross-Origin State Inference (COSI) Attacks: Leaking Website States through XS-Leaks, The Network and Distributed System Security Symposium (NDSS'20), San Diego, California, February 2020.

- Program Committee

• IEEE S&P (2025) [ Link]
• CCS (2024) [ Link]
• IEEE S&P (2024) [ Link]
• IEEE EuroS&P (2024) [ Link]
• WebConf (2024) [ Link]
• SecWeb (2023) [ Link]

- Artifact Evaluation Committee

• Usenix Security 2023 [ Link]
• ACSAC 2022 [ Link]

- Web Chair

• IEEE Euro S&P (2020) [ link]

- External Reviewer

• IEEE S&P (2023, 2022)
• Usenix Security (2022, 2021, 2020)
• IEEE Euro S&P (2022, 2020)
• ACSAC (2022, 2021)
• WebConf (2021, 2020)
• ACM TOSEM (2022)
• Asia CCS (2022, 2020)
• DIMVA (2020) [ Link]

- Hiring Committee

• CISPA hiring committee 2020

- Security Testing at Scale: Studying Emerging Client-side Vulnerabilities in the Modern Web
EPFL SuRI, Switzerland, July 2024.

- In the Same Site We Trust: Navigating the Landscape of Client-side Request Hijacking on the Web
@OWASP Global AppSec'24, Lisbon, June 2024.

- The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web
@IEEE S&P'24, San Francisco, May 2024.

- It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses
@IEEE S&P'23, San Francisco, May 2023.

- Everything You Wanted to Know About DOM Clobbering (But Were Afraid to Ask)
RuhrSec, Bochum, May 2023.

- TESTABLE: Testability Pattern-driven Web Application Security and Privacy Testing
@Projects to Policy Seminar, Brussels, June 2022.

- Everything You Wanted to Know About Client-side CSRF (But Were Afraid to Ask)
@OWASP AppSec EU, June 2022.

- The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies
@IEEE S&P'22, May 2022.

- Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks
@RAID'21, Oct 2021.

- JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals
@USENIX Security'21, Aug 2021.

- JAW: Client-side CSRF (extended version)
@Stanford SecLunch, Stanford University, Feb 2021.

- A Framework for Testing Web Applications for Cross-Origin State Inference (COSI) Attacks
@Polytechnic University of Madrid, June 2019.

- From Zero to Hero: Everthing about Nova and OpenStack Instance Migrations, IUST Cloud Computing Center
@University of Science and Technology, Tehran, Jan 2017.

- Mastering Web Development with Laravel 5, Hackathon Talk
@University of Science and Technology, Tehran, Feb 2016.

- Heuristic Search: Where We Try to Choose Smartly
@University of Science and Technology, Tehran, May 2014.

- [Aug 2019 - Present] Security Researcher @CISPA, Saarland. [ Webpage]

- [Sept. 2018 - Aug 2019] R&D Engineer @IMDEA Software, Madrid. [ Webpage]

- [Sept. 2018 - July 2019] Full Stack Web Developer, @Brooktec, Madrid. [ Webpage]

2023

- Made it to MSRC 2023 Q2 Leaderboard, Microsoft Security, July 2023 [ [Link]

- Reported XSS Vulnerability in Microsoft Azure (MSRC-79059 VULN-097970), Acknowledgement Entry: 31 May 2023 (3,000$ Bounty) [ Link]

- Created OWASP DOM Clobbering Prevention Cheat Sheet [ Link]

2022

- W3C proposal for an opt-in CSP / feature policy flag to disable DOM Clobbering [ Link]

- OWASP CheatsheetSeries: Contributions to CSRF and XS-Leaks cheat sheets [ Link 1] [ Link 2]

- Disclosed DOM Clobbering exploits for 44 popular websites, including:

• GitHub, Trello, Fandom, Vimeo, TripAdvisor, OpenTable, WikiBooks and AliExpress [ Link]
• Arbitrary client-side code execution, request forgery and open redirects

- DOMPurify sanitizer: added patch for DOM Clobbering protection via SANITIZE_NAMED_PROPS config [ Link]

2021

- Large-scale notification campaign to 11,418 websites with the assistance of the national CSIRT (Germany):

• insecure usage of SameSite cookie policy that could lead to pervasive monitoring and isolation policy downgrades [ Link]

- Reported a widespread Single Sign-On IdP abuse to bypass SameSite cookies leveraging Lax+POST

• Google, Facebook, Linkedin, GitHub, Microsoft, and VK [ Link]

- Disclosed RFC violations of SameSite cookie behaviours in same-site and cross-site request context to browser vendors [ Link]

- Reported multiple CSRFs by forging state-chaning POST and replaying GET requests

• PayPal, IMDB, Fandom, iLovePDF, Mailchimp, Brilio, Pixiv, and Meetup [ Link]

- User deanonymization XS-Leaks in eight popular websites leveraging window properties and postMessage side-channel leaks

• Blogger, Tumblr, Twitch, AliExpress, Office365, Tokopedia, Ebay, and SoundCloud [ Link]

- Disclosed SSC inter/intra page inconsistency security risks and misconfigurations to multiple high-profile websites:

• GitHub, CNN, Yahoo, Office365, and Vimeo[ Link]

- Critical CSRF validation vulnerabilities in CakePHP (v4.0), Vert.x-Web (v4.0.1), and Play (v2.8.1) web frameworks [ Link]

2020

- Reported client-side CSRF vulnerabilities in seven stand-alone web applications of the Bitnami Catalog

• Kibana, SuiteCRM, SugarCRM, Shopware, Odoo, Neos, and Modx [ Link]

- Reported reflected XSS vulnerability in Modx 2.7.3 [ Link]

2019

- Multiple XS-Leak attack vectors on 58 high-profile sites of the Alexa top 500, e.g,:

• Imgur: User deanonymization XS-Leak [ Link]
• Amazon: user state leakage via JS errors thrown on DOM window object and CSP violations [ Link]
• HotCRP: reviewer deanonymization via events fired XS-Leak based on HTTP status code [ Link]
• Linkedin: user deanonymization based on frame count and CSP violations XS-Leak [ Link]
• Pinterest: SSO detection via CSP XS-Leak [ Link]
• IMDB: deanonymize celebrity accounts via the URL account handle and the events XS-Leak [ Link]

- Advisor, CySec Projects, Saarland University.

• Summer 2021, Multi-Container Crawling SaaS for Security Testing. [ Webpage]
• Winter 2020/2021, Static Analysis and Detection of Client-side Vulnerabilities. [ Webpage]
• Summer 2020, Studying the Robustness of Client-side HTML Sanitizers. [ Webpage]

- Advisor, BSc. Thesis, Detecting Client-Side XSS via Code Property Graphs, Saarland University, Summer 2021 [ Webpage]

- Advisor, Seminar, Joint Advances in Web Security, Saarland University.

• Winter 2021/2022, Cross-Site Leaks and CSRF Topics. [ Webpage]
• Winter 2019/2020, postMessage Communications in Web. [ Webpage]

- Web Chair, Secure Web Developments (Dr. Giancarlo Pellegrino), Saarland University.

• Summer 2022, Build-it, Break-it, Fix-it Competition [ Webpage]
• Summer 2020 [ Webpage]

- Teaching Assistant, Microprocessor and Assembly (Dr. Peyman Kabiri), Iran University Of Science and Technology

• Winter 2017/2018 [ Webpage]
• Summer 2017 [ Webpage]

- EMA Member, Erasmus Mundus Association, Germany, August 2017. [ Webpage]

- ACM Professional Member, Association for Computing Machinery, New York, October 2021.
[ Certificate] [ Webpage]

- Distinguished paper award, IEEE S&P 2024, Sab Francisco, May 2024. [ Webpage]

- Accomplished 2nd place at CSAW'23 Europe Applied Research Competition, Grenoble INP - Esisar, Valence, France, Nov 2023. [ Webpage]

- Distinguished paper award, IEEE S&P 2023, Sab Francisco, May 2023. [ Webpage]

- Best MSc. thesis award, EMSE, Polytechnic University of Madrid, 2019. [ Webpage]

- Been awarded the prestigious Erasmus Mundus scholarship for academic excellence, Italy, 2017. [ Webpage]

- Selected in IR2017 Special Talents Framework, Sharif University of Technology, Tehran, 2017. [ Webpage]

- Nominated, selected and awarded as an outstanding BSc. student of 2013-2017 for 4 consecutive years, Iran University of Science and Technology, Tehran, 2013-2017.

- Placed in top 1% of the highly competitive nation-wide university entrance exam, Tehran, 2013.