About Me
Want to know more? Check out my public projects on GitHub or my recent publications.
Publications
Community Services
Personal Projects
Selected Talks
EPFL SuRI, Switzerland, July 2024.
@OWASP Global AppSec'24, Lisbon, June 2024.
@IEEE S&P'24, San Francisco, May 2024.
@IEEE S&P'23, San Francisco, May 2023.
RuhrSec, Bochum, May 2023.
@Projects to Policy Seminar, Brussels, June 2022.
@OWASP AppSec EU, June 2022.
@IEEE S&P'22, May 2022.
@USENIX Security'21, Aug 2021.
@Stanford SecLunch, Stanford University, Feb 2021.
@Polytechnic University of Madrid, June 2019.
@University of Science and Technology, Tehran, Jan 2017.
@University of Science and Technology, Tehran, Feb 2016.
@University of Science and Technology, Tehran, May 2014.
Education
Professional Experience
Security Advisories
2023
- Made it to MSRC 2023 Q2 Leaderboard, Microsoft Security, July 2023 [ [Link]
- Reported XSS Vulnerability in Microsoft Azure (MSRC-79059 VULN-097970), Acknowledgement Entry: 31 May 2023 (3,000$ Bounty) [ Link]
- Created OWASP DOM Clobbering Prevention Cheat Sheet [ Link]
2022
- W3C proposal for an opt-in CSP / feature policy flag to disable DOM Clobbering [ Link]
- OWASP CheatsheetSeries: Contributions to CSRF and XS-Leaks cheat sheets [ Link 1] [ Link 2]
- Disclosed DOM Clobbering exploits for 44 popular websites, including:- GitHub, Trello, Fandom, Vimeo, TripAdvisor, OpenTable, WikiBooks and AliExpress [ Link]
- Arbitrary client-side code execution, request forgery and open redirects
- DOMPurify sanitizer: added patch for DOM Clobbering protection via SANITIZE_NAMED_PROPS config [ Link]
2021
- Large-scale notification campaign to 11,418 websites with the assistance of the national CSIRT (Germany):- insecure usage of SameSite cookie policy that could lead to pervasive monitoring and isolation policy downgrades [ Link]
- Google, Facebook, Linkedin, GitHub, Microsoft, and VK [ Link]
- Disclosed RFC violations of SameSite cookie behaviours in same-site and cross-site request context to browser vendors [ Link]
- Reported multiple CSRFs by forging state-chaning POST and replaying GET requests- PayPal, IMDB, Fandom, iLovePDF, Mailchimp, Brilio, Pixiv, and Meetup [ Link]
- Blogger, Tumblr, Twitch, AliExpress, Office365, Tokopedia, Ebay, and SoundCloud [ Link]
- GitHub, CNN, Yahoo, Office365, and Vimeo[ Link]
- Critical CSRF validation vulnerabilities in CakePHP (v4.0), Vert.x-Web (v4.0.1), and Play (v2.8.1) web frameworks [ Link]
2020
- Reported client-side CSRF vulnerabilities in seven stand-alone web applications of the Bitnami Catalog- Kibana, SuiteCRM, SugarCRM, Shopware, Odoo, Neos, and Modx [ Link]
- Reported reflected XSS vulnerability in Modx 2.7.3 [ Link]
2019
- Multiple XS-Leak attack vectors on 58 high-profile sites of the Alexa top 500, e.g,:- Imgur: User deanonymization XS-Leak [ Link]
- Amazon: user state leakage via JS errors thrown on DOM window object and CSP violations [ Link]
- HotCRP: reviewer deanonymization via events fired XS-Leak based on HTTP status code [ Link]
- Linkedin: user deanonymization based on frame count and CSP violations XS-Leak [ Link]
- Pinterest: SSO detection via CSP XS-Leak [ Link]
- IMDB: deanonymize celebrity accounts via the URL account handle and the events XS-Leak [ Link]
Academic Service
- Summer 2021, Multi-Container Crawling SaaS for Security Testing. [ Webpage]
- Winter 2020/2021, Static Analysis and Detection of Client-side Vulnerabilities. [ Webpage]
- Summer 2020, Studying the Robustness of Client-side HTML Sanitizers. [ Webpage]
- Winter 2021/2022, Cross-Site Leaks and CSRF Topics. [ Webpage]
- Winter 2019/2020, postMessage Communications in Web. [ Webpage]
- Summer 2022, Build-it, Break-it, Fix-it Competition [ Webpage]
- Summer 2020 [ Webpage]
- Winter 2017/2018 [ Webpage]
- Summer 2017 [ Webpage]
Volunteer Experience
[ Certificate] [ Webpage]
[ Slides]