Soheil Khodayari

⬤

About Me

Hi, welcome to my homepage. Here you can get to know me better :)

I'm a passionate Web security researcher committed to fortifying the online world. My expertise lies in application security, privacy, and automated testing (SAST/DAST/IAST). But that's not all! I'm also interested in browser-level security policies and Internet measurements. Join me on this electrifying journey as we secure the Web, one line of code at a time!

Want to know more? Check out my public projects on GitHub or my recent publications.
Publications

2023
- It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses, 44th IEEE Symposium on Security and Privacy (S&P'23), CA, USA, May 23-26, 2023.
2022
- The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies, 43rd IEEE Symposium on Security and Privacy (S&P'22), CA, USA, May 22-26, 2022.
2021
- Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks, 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'21), San Sebastian, Spain, October 6-8, 2021.
- JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals, 30th USENIX Security Symposium (USENIX Security'21), Virtual Event, August 2021.
2020
- Cross-Origin State Inference (COSI) Attacks: Leaking Website States through XS-Leaks, The Network and Distributed System Security Symposium (NDSS'20), San Diego, California, February 2020.
Community Services

- Program Committee
- Artifact Evaluation Committee
- Web Chair
- External Reviewer
  • IEEE S&P (2023, 2022)
  • Usenix Security (2022, 2021, 2020)
  • IEEE Euro S&P (2022, 2020)
  • ACSAC (2022, 2021)
  • WebConf (2021, 2020)
  • ACM TOSEM (2022)
  • Asia CCS (2022, 2020)
  • DIMVA (2020) [ Link]
- Hiring Committee
  • CISPA hiring committee 2020
Personal Projects

image
DOMC-BT is an open-source browser testing platform for DOM Clobbering. The repository also hosts an attack payload generation service and a wiki containing clobbering techniques and defenses.

image
TheThing is a static-dynamic security analysis tool for the detection of DOM clobbering vulnerabilities. TheThing can be used for analyzing the client-side of web applications.

image
SameSite-WIKI is an online service with all you need to about the adequacy and effectiveness of SameSite policies against XS attacks, like CSRF and XS-Leaks.

image
JAW is a hybrid, scalable framework to analyze client-side JavaScript programs for the detection of client-side CSRF vulnerabilities. JAW can be used to conduct interactive and exploratory analysis of JavaScript code.

image
Basta-COSI is a framework for detecting cross-site information leakage vulnerabilities (XS-Leaks). It is released as a part of the ElasTest Security Service (ESS).
Selected Talks

- It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses
@IEEE S&P'23, San Francisco, May 2023.
- Everything You Wanted to Know About DOM Clobbering (But Were Afraid to Ask)
RuhrSec, Bochum, May 2023.
- TESTABLE: Testability Pattern-driven Web Application Security and Privacy Testing
@Projects to Policy Seminar, Brussels, June 2022.
- Everything You Wanted to Know About Client-side CSRF (But Were Afraid to Ask)
@OWASP AppSec EU, June 2022.
- The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies
@IEEE S&P'22, May 2022.
- Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks
@RAID'21, Oct 2021.
- JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals
@USENIX Security'21, Aug 2021.
- JAW: Client-side CSRF (extended version)
@Stanford SecLunch, Stanford University, Feb 2021.
- A Framework for Testing Web Applications for Cross-Origin State Inference (COSI) Attacks
@Polytechnic University of Madrid, June 2019.
- From Zero to Hero: Everthing about Nova and OpenStack Instance Migrations, IUST Cloud Computing Center
@University of Science and Technology, Tehran, Jan 2017.
- Mastering Web Development with Laravel 5, Hackathon Talk
@University of Science and Technology, Tehran, Feb 2016.
- Heuristic Search: Where We Try to Choose Smartly
@University of Science and Technology, Tehran, May 2014.
Education

- PhD on Computer Science, Saarland University, August 2019 - Present.
- Double MSc. on Computer Science, Polytecnic Univeristy of Madrid (UPM) and Technical University of Kaiserslautern (TUK), September 2017 - July 2019.
- BSc. on Software Engineering, Iran University of Science and Technology, September 2013 - July 2017.
Professional Experience

- [Aug 2019 - Present] Security Researcher @CISPA, Saarland. [ Webpage]
- [Sept. 2018 - Aug 2019] R&D Engineer @IMDEA Software, Madrid. [ Webpage]
- [Sept. 2018 - July 2019] Full Stack Web Developer, @Brooktec, Madrid. [ Webpage]
- [Feb. 2018 - Aug 2018] R&D Security Intern, @Fraunhoder IESE/AISEC, Kaiserslautern, Germany. [ Webpage]
- [Dec. 2016 - Aug 2017] OpenStack Engineer, @IUST Cloud Computer Center, Tehran. [ Webpage]
- [June 2014 - Dec 2016] Junior Software Developer, @Vesta Software, Tehran. [ Webpage]
Security Advisories

2023

- Made it to MSRC 2023 Q2 Leaderboard, Microsoft Security, July 2023 [ [Link]

- Reported XSS Vulnerability in Microsoft Azure (MSRC-79059 VULN-097970), Acknowledgement Entry: 31 May 2023 (3,000$ Bounty) [ Link]

- Created OWASP DOM Clobbering Prevention Cheat Sheet [ Link]

2022

- W3C proposal for an opt-in CSP / feature policy flag to disable DOM Clobbering [ Link]

- OWASP CheatsheetSeries: Contributions to CSRF and XS-Leaks cheat sheets [ Link 1] [ Link 2]

- Disclosed DOM Clobbering exploits for 44 popular websites, including:
  • GitHub, Trello, Fandom, Vimeo, TripAdvisor, OpenTable, WikiBooks and AliExpress [ Link]
  • Arbitrary client-side code execution, request forgery and open redirects

- DOMPurify sanitizer: added patch for DOM Clobbering protection via SANITIZE_NAMED_PROPS config [ Link]

2021

- Large-scale notification campaign to 11,418 websites with the assistance of the national CSIRT (Germany):
  • insecure usage of SameSite cookie policy that could lead to pervasive monitoring and isolation policy downgrades [ Link]
- Reported a widespread Single Sign-On IdP abuse to bypass SameSite cookies leveraging Lax+POST
  • Google, Facebook, Linkedin, GitHub, Microsoft, and VK [ Link]

- Disclosed RFC violations of SameSite cookie behaviours in same-site and cross-site request context to browser vendors [ Link]

- Reported multiple CSRFs by forging state-chaning POST and replaying GET requests
  • PayPal, IMDB, Fandom, iLovePDF, Mailchimp, Brilio, Pixiv, and Meetup [ Link]
- User deanonymization XS-Leaks in eight popular websites leveraging window properties and postMessage side-channel leaks
  • Blogger, Tumblr, Twitch, AliExpress, Office365, Tokopedia, Ebay, and SoundCloud [ Link]
- Disclosed SSC inter/intra page inconsistency security risks and misconfigurations to multiple high-profile websites:
  • GitHub, CNN, Yahoo, Office365, and Vimeo[ Link]

- Critical CSRF validation vulnerabilities in CakePHP (v4.0), Vert.x-Web (v4.0.1), and Play (v2.8.1) web frameworks [ Link]

2020

- Reported client-side CSRF vulnerabilities in seven stand-alone web applications of the Bitnami Catalog
  • Kibana, SuiteCRM, SugarCRM, Shopware, Odoo, Neos, and Modx [ Link]

- Reported reflected XSS vulnerability in Modx 2.7.3 [ Link]

2019

- Multiple XS-Leak attack vectors on 58 high-profile sites of the Alexa top 500, e.g,:
  • Imgur: User deanonymization XS-Leak [ Link]
  • Amazon: user state leakage via JS errors thrown on DOM window object and CSP violations [ Link]
  • HotCRP: reviewer deanonymization via events fired XS-Leak based on HTTP status code [ Link]
  • Linkedin: user deanonymization based on frame count and CSP violations XS-Leak [ Link]
  • Pinterest: SSO detection via CSP XS-Leak [ Link]
  • IMDB: deanonymize celebrity accounts via the URL account handle and the events XS-Leak [ Link]
Academic Service

- Advisor, CySec Projects, Saarland University.
  • Summer 2021, Multi-Container Crawling SaaS for Security Testing. [ Webpage]
  • Winter 2020/2021, Static Analysis and Detection of Client-side Vulnerabilities. [ Webpage]
  • Summer 2020, Studying the Robustness of Client-side HTML Sanitizers. [ Webpage]
- Advisor, BSc. Thesis, Detecting Client-Side XSS via Code Property Graphs, Saarland University, Summer 2021 [ Webpage]
- Advisor, Seminar, Joint Advances in Web Security, Saarland University.
  • Winter 2021/2022, Cross-Site Leaks and CSRF Topics. [ Webpage]
  • Winter 2019/2020, postMessage Communications in Web. [ Webpage]
- Web Chair, Secure Web Developments (Dr. Giancarlo Pellegrino), Saarland University.
- Teaching Assistant, Microprocessor and Assembly (Dr. Peyman Kabiri), Iran University Of Science and Technology
Volunteer Experience

- EMA Member, Erasmus Mundus Association, Germany, August 2017. [ Webpage]
- ACM Professional Member, Association for Computing Machinery, New York, October 2021.
[ Certificate] [ Webpage]
- Inspiring Career Talk, Great Leaders Trust Themselves...And You. @UPM, Madrid, Nov 2018.
[ Slides]
Honors, Grants & Awards

- Accomplished 2nd place at CSAW'23 Europe Applied Research Competition, Grenoble INP - Esisar, Valence, France, Nov 2023. [ Webpage]
- Distinguished paper award, IEEE S&P 2023, Sab Francisco, May 2022. [ Webpage]
- Best MSc. thesis award, EMSE, Polytechnic University of Madrid, 2019. [ Webpage]
- Been awarded the prestigious Erasmus Mundus scholarship for academic excellence, Italy, 2017. [ Webpage]
- Selected in IR2017 Special Talents Framework, Sharif University of Technology, Tehran, 2017. [ Webpage]
- Nominated, selected and awarded as an outstanding BSc. student of 2013-2017 for 4 consecutive years, Iran University of Science and Technology, Tehran, 2013-2017.
- Placed in top 1% of the highly competitive nation-wide university entrance exam, Tehran, 2013.