Want to know more? Check out my public projects on GitHub or my recent publications.
@IEEE S&P'23, San Francisco, May 2023.
RuhrSec, Bochum, May 2023.
@Projects to Policy Seminar, Brussels, June 2022.
@OWASP AppSec EU, June 2022.
@IEEE S&P'22, May 2022.
@USENIX Security'21, Aug 2021.
@Stanford SecLunch, Stanford University, Feb 2021.
@Polytechnic University of Madrid, June 2019.
@University of Science and Technology, Tehran, Jan 2017.
@University of Science and Technology, Tehran, Feb 2016.
@University of Science and Technology, Tehran, May 2014.
- IEEE S&P (2023, 2022)
- Usenix Security (2022, 2021, 2020)
- IEEE Euro S&P (2022, 2020)
- ACSAC (2022, 2021)
- WWW (2021, 2020)
- ACM TOSEM (2022)
- Asia CCS (2022, 2020)
- DIMVA (2020) [ Link]
- CISPA hiring committee 2020
- OWASP DOM Clobbering Prevention Cheat Sheet [ Link]
- W3C proposal for an opt-in CSP / feature policy flag to disable DOM Clobbering [ Link]
- OWASP CheatsheetSeries: Contributions to CSRF and XS-Leaks cheat sheets [ Link 1] [ Link 2]- Disclosed DOM Clobbering exploits for 44 popular websites, including:
- GitHub, Trello, Fandom, Vimeo, TripAdvisor, OpenTable, WikiBooks and AliExpress [ Link]
- Arbitrary client-side code execution, request forgery and open redirects
- DOMPurify sanitizer: patch to add DOM Clobbering protection via SANITIZE_NAMED_PROPS config [ Link]
2021- Large-scale notification campaign to 11,418 websites with the assistance of the national CSIRT (Germany):
- Google, Facebook, Linkedin, GitHub, Microsoft, and VK [ Link]
- Disclosed RFC violations of SameSite cookie behaviours in same-site and cross-site request context to browser vendors [ Link]- Reported multiple CSRFs by forging state-chaning POST and replaying GET requests
- PayPal, IMDB, Fandom, iLovePDF, Mailchimp, Brilio, Pixiv, and Meetup [ Link]
- Blogger, Tumblr, Twitch, AliExpress, Office365, Tokopedia, Ebay, and SoundCloud [ Link]
- GitHub, CNN, Yahoo, Office365, and Vimeo[ Link]
- Critical CSRF validation vulnerabilities in CakePHP (v4.0), Vert.x-Web (v4.0.1), and Play (v2.8.1) web frameworks [ Link]
2020- Reported client-side CSRF vulnerabilities in seven stand-alone web applications of the Bitnami Catalog
- Kibana, SuiteCRM, SugarCRM, Shopware, Odoo, Neos, and Modx [ Link]
- Reported reflected XSS vulnerability in Modx 2.7.3 [ Link]
2019- Multiple XS-Leak attack vectors on 58 high-profile sites of the Alexa top 500, e.g,:
- Imgur: User deanonymization XS-Leak [ Link]
- Amazon: user state leakage via JS errors thrown on DOM window object and CSP violations [ Link]
- HotCRP: reviewer deanonymization via events fired XS-Leak based on HTTP status code [ Link]
- Linkedin: user deanonymization based on frame count and CSP violations XS-Leak [ Link]
- Pinterest: SSO detection via CSP XS-Leak [ Link]
- IMDB: deanonymize celebrity accounts via the URL account handle and the events XS-Leak [ Link]
- Summer 2021, Multi-Container Crawling SaaS for Security Testing. [ Webpage]
- Winter 2020/2021, Static Analysis and Detection of Client-side Vulnerabilities. [ Webpage]
- Summer 2020, Studying the Robustness of Client-side HTML Sanitizers. [ Webpage]
- Winter 2021/2022, Cross-Site Leaks and CSRF Topics. [ Webpage]
- Winter 2019/2020, postMessage Communications in Web. [ Webpage]
- Summer 2022, Build-it, Break-it, Fix-it Competition [ Webpage]
- Summer 2020 [ Webpage]
- Winter 2017/2018 [ Webpage]
- Summer 2017 [ Webpage]
[ Certificate] [ Webpage]