Want to know more? Check out my public projects on GitHub or my recent publications.
- IEEE S&P (2024)
- IEEE EuroS&P (2024)
- WebConf (2024)
- SecWeb (2023)
- Usenix Security 2023
- ACSAC 2022
- IEEE Euro S&P (2020)
- IEEE S&P (2023, 2022)
- Usenix Security (2022, 2021, 2020)
- IEEE Euro S&P (2022, 2020)
- ACSAC (2022, 2021)
- WebConf (2021, 2020)
- ACM TOSEM (2022)
- Asia CCS (2022, 2020)
- DIMVA (2020)
- CISPA hiring committee 2020
@IEEE S&P'23, San Francisco, May 2023.
RuhrSec, Bochum, May 2023.
@Projects to Policy Seminar, Brussels, June 2022.
@OWASP AppSec EU, June 2022.
@IEEE S&P'22, May 2022.
@RAID'21, Oct 2021.
@USENIX Security'21, Aug 2021.
@Stanford SecLunch, Stanford University, Feb 2021.
@Polytechnic University of Madrid, June 2019.
@University of Science and Technology, Tehran, Jan 2017.
@University of Science and Technology, Tehran, Feb 2016.
@University of Science and Technology, Tehran, May 2014.
- Made it to MSRC 2023 Q2 Leaderboard, Microsoft Security, July 2023
- Reported XSS Vulnerability in Microsoft Azure (MSRC-79059 VULN-097970), Acknowledgement Entry: 31 May 2023 (3,000$ Bounty)
- W3C proposal for an opt-in CSP / feature policy flag to disable DOM Clobbering
- OWASP CheatsheetSeries: Contributions to CSRF and XS-Leaks cheat sheets- Disclosed DOM Clobbering exploits for 44 popular websites, including:
- GitHub, Trello, Fandom, Vimeo, TripAdvisor, OpenTable, WikiBooks and AliExpress
- Arbitrary client-side code execution, request forgery and open redirects
- DOMPurify sanitizer: added patch for DOM Clobbering protection via SANITIZE_NAMED_PROPS config
2021- Large-scale notification campaign to 11,418 websites with the assistance of the national CSIRT (Germany):
- Google, Facebook, Linkedin, GitHub, Microsoft, and VK
- Disclosed RFC violations of SameSite cookie behaviours in same-site and cross-site request context to browser vendors- Reported multiple CSRFs by forging state-chaning POST and replaying GET requests
- PayPal, IMDB, Fandom, iLovePDF, Mailchimp, Brilio, Pixiv, and Meetup
- Blogger, Tumblr, Twitch, AliExpress, Office365, Tokopedia, Ebay, and SoundCloud
- GitHub, CNN, Yahoo, Office365, and Vimeo
- Critical CSRF validation vulnerabilities in CakePHP (v4.0), Vert.x-Web (v4.0.1), and Play (v2.8.1) web frameworks
2020- Reported client-side CSRF vulnerabilities in seven stand-alone web applications of the Bitnami Catalog
- Kibana, SuiteCRM, SugarCRM, Shopware, Odoo, Neos, and Modx
- Reported reflected XSS vulnerability in Modx 2.7.3
2019- Multiple XS-Leak attack vectors on 58 high-profile sites of the Alexa top 500, e.g,:
- Imgur: User deanonymization XS-Leak
- Amazon: user state leakage via JS errors thrown on DOM window object and CSP violations
- HotCRP: reviewer deanonymization via events fired XS-Leak based on HTTP status code
- Linkedin: user deanonymization based on frame count and CSP violations XS-Leak
- Pinterest: SSO detection via CSP XS-Leak
- IMDB: deanonymize celebrity accounts via the URL account handle and the events XS-Leak
- Summer 2021, Multi-Container Crawling SaaS for Security Testing.
- Winter 2020/2021, Static Analysis and Detection of Client-side Vulnerabilities.
- Summer 2020, Studying the Robustness of Client-side HTML Sanitizers.
- Winter 2021/2022, Cross-Site Leaks and CSRF Topics.
- Winter 2019/2020, postMessage Communications in Web.
- Winter 2017/2018
- Summer 2017