Soheil Khodayari

About Me

Welcome to my homepage. Here you can get to know me better :)
Projects

image
DOMC-BT is an open-source browser testing platform for DOM Clobbering. The repository also hosts an attack payload generation service and a wiki with all you need to know about DOM Clobbering, including clobbering techniques, payloads, and defenses.

image
TheThing is a static-dynamic security analysis tool for the detection of DOM clobbering vulnerabilities. TheThing can be used for analyzing the client-side of web applications.

image
SameSite-WIKI is an online service with all you need to about the adequacy and effectiveness of SameSite policies against XS attacks, like CSRF and XS-Leaks.

image
JAW is a hybrid, scalable framework to analyze client-side JavaScript programs for the detection of client-side CSRF vulnerabilities. JAW can be used to conduct interactive and exploratory analysis of JavaScript code.

image
Basta-COSI is a framework for detecting cross-site information leakage vulnerabilities (XS-Leaks). It is released as a part of the ElasTest Security Service (ESS).
Talks

- Everything You Wanted to Know About Client-side CSRF (But Were Afraid to Ask)
@OWASP AppSec, June 2022.
- The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies, @IEEE S&P'22, May 2022.
- Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks
@RAID'21, October 2021.
- JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals
@USENIX Security'21, August 2021.
- JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals (extended version)
@Stanford SecLunch, Stanford University, February 2021.
- A Framework for Testing Web Applications for Cross-Origin State Inference (COSI) Attacks
@Universidad Polit├ęcnica De Madrid, June 2019.
Publications

2023
- It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses, To appear at 44th IEEE Symposium on Security and Privacy (S&P'23), CA, USA, May 23-26, 2023.
2022
- The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies, 43rd IEEE Symposium on Security and Privacy (S&P'22), CA, USA, May 22-26, 2022.
2021
- Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks, 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'21), San Sebastian, Spain, October 6-8, 2021.
- JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals, 30th USENIX Security Symposium (USENIX Security'21), Virtual Event, August 2021.
2020
- Cross-Origin State Inference (COSI) Attacks: Leaking Website States through XS-Leaks, The Network and Distributed System Security Symposium (NDSS'20), San Diego, California, February 2020.
Education

- PhD on Computer Science, Saarland University, August 2019 - Present.
- Double MSc. on Computer Science, Polytecnic Univeristy of Madrid (UPM) and Technical University of Kaiserslautern (TUK), September 2017 - July 2019.
- BSc. on Software Engineering, Iran University of Science and Technology, September 2013 - July 2017.
Professional Experience

- [Aug 2019 - Present] Security Researcher @CISPA, Saarland. [ Webpage]
- [Sept. 2018 - Aug 2019] R&D Engineer @IMDEA Software, Madrid. [ Webpage]
- [Sept. 2018 - July 2019] Full Stack Web Developer, @Brooktec, Madrid. [ Webpage]
- [June 2015 - May 2017] Junior Software Developer, @Vesta Software, Tehran. [ Webpage]
Volunteer Experience

- EMA Member, Erasmus Mundus Association, August 2017, Germany. [ Webpage]
- Invited Talk, Great Leaders Trust Themselves...And You. @UPM, Madrid, November 2018. [ Slides]
Academic Service

- Web Chair of 5th IEEE European Symposium on Security and Privacy, Sept 2020. [ Webpage]
- Artifact Evaluation Committee
- External Reviewer
  • Usenix Security 2022
  • S&P 2022
  • ACSAC 2022
  • ACM TOSEM 2022
  • Euro S&P 2022
  • Asia CCS 2022
  • Usenix Security 2021
  • WWW 2021
  • ACSAC 2021
  • Asia CCS 2020
  • WWW 2020
  • Usenix Security 2020
  • Euro S&P 2020
  • DIMVA 2020 [ Link]
Teaching

- Teaching Assistant, Secure Web Developments (Dr. Giancarlo Pellegrino), Saarland University.
- Advisor, CySec Projects, Saarland University.
  • Summer 2021, Multi-Container Crawling SaaS for Security Testing. [ Webpage]
  • Winter 2020/2021, Static Analysis and Detection of Client-side Vulnerabilities. [ Webpage]
  • Summer 2020, Studying the Robustness of Client-side HTML Sanitizers. [ Webpage]
- Advisor, BSc. Thesis, Detecting Client-Side XSS via Code Property Graphs, Saarland University, Summer 2021 [ Webpage]
- Advisor, Seminar, Joint Advances in Web Security, Saarland University.
  • Winter 2021/2022, Cross-Site Leaks and CSRF Topics [ Webpage]
  • Winter 2019/2020, postMessage Communications in Web[ Webpage]
- Teaching Assistant, Microprocessor and Assembly (Dr. Peyman Kabiri), Iran University Of Science and Technology
Honors, Grants & Awards

- Best MSc. Thesis Award, EMSE, Polytechnic University of Madrid, 2019. [ Webpage]
- Awarded the prestigious Erasmus Mundus EMSE scholarship for academic excellence, Italy, 2017 [ Webpage]
- Nominated, selected and awarded as an outstanding BSc. student of 2013-2017 for 4 consecutive years (2nd rank among all), Iran University of Science and Technology, Tehran, 2013-2017.
- Placed in Top 1% of the Nation-wide University Entrance Exam, Tehran, 2013.
┬ęCopyright 2021, Soheil Khodayari