Babak AminAzad

PhD Candidate at Stony Brook University

Contact

Web Security

Penetration Testing -
PHP Static/Dynamic Analysis -

Courses

Machine Learning -
Data Science -

Bots & Automation

Browser & bot automation -
Analysis of anti-bot mechanisms -

Mobile Security

Android Mobile Application Penetration Testing -
Mobile Malware Analysis -
Malware Detection & Sandboxing -
iOS 3rd Party Market Analysis -

About Me

I’m currently a PhD student in PragSec Lab at Stony Brook University. I work under the supervision of Professor Nikiforakis, aiming uncover vulnerabilities and practices, that make the web insecure. More specifically, my research goal is to make web applications safer, by reducing their attack surface through software debloating. I incorporate static and dynamic analysis techniques to identify unused features in web applications and remove them. In my prior work, I have showed that this method of attack surface reduction is highly effective in removing exploitable vulnerabilities from web applications. I make parsers, code analyzers and symbolic execution engines. Orthogonally to my work on attack surface reduction, I study malicious bots on the internet devising ways to protect websites against them by differentiating their traffic from regular user traffic. I will be on the job market from the January of 2023.

Talks & Publications

  • Catching Transparent Phish: Understanding and Detecting MITM Phishing Kits
    Boston University Security Camp
    August, 2022
  • Mitigating MITM Phishing Toolkit Attacks that Bypass MFA (video)
    I2 Online
    June, 2022
  • The Droid is in the Details: Environment-aware Evasion of Android Sandboxes
    Brian Kondracki, Babak Amin Azad, Najmeh Miramirkhani, and Nick Nikiforakis
    Network and Distributed System Security Symposium 2022
    February, 2022
  • Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits
    Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis
    CSAW '21 Finalist (3rd place)
    ACM CCS 2021
    November, 2021
  • Good Bot, Bad Bot: Characterizing Automated Browsing Activity
    Xigao Li, Babak Amin Azad, Amir Rahmati, and Nick Nikiforakis
    IEEE Symposium on Security and Privacy (S&P) 2021
    May, 2021
  • Less is More: Introducing an Automated Debloating Pipeline based on Dynamic Web Application Usage (Artifacts)
    TPCP Software Security Summer School (SSSS '20)
    August, 2020
  • Web Runner 2049: Evaluating Third-Party Anti-bot Services (video)
    Babak Amin Azad, Oleksii Starov, Pierre Laperdrix, and Nick Nikiforakis
    DIMVA 2020 (Won Best Video Presentation Award)
    July, 2020
  • Taming The Shape Shifter: Detecting Anti-fingerprinting Browsers (video)
    Babak Amin Azad, Oleksii Starov, Pierre Laperdrix, and Nick Nikiforakis
    DIMVA 2020
    July, 2020
  • Less is More: Web Application Attack Surface Reduction Through Software Debloating (video)
    Georgia Tech Cybersecurity Lecture Series
    April, 2020
  • Gas What? I can see you GasPots. Studying the fingerprintability of ICS honeypots in the wild
    Mohammad-Reza Zamiri-Gourabi, Ali Razmjoo Qalaei, Babak Amin Azad
    ACSAC 2019, Puerto Rico, USA
    December, 2019
  • Less is More: Quantifying the Security Benefits of Debloating Web Applications
    OWASP Global AppSec 2019, Washington, D.C, USA
    September, 2019
  • Less is More: Quantifying the Security Benefits of Debloating Web Applications (video)
    Babak Amin Azad, Pierre Laperdrix, and Nick Nikiforakis
    USENIX Security ’19, Santa Clara, CA, USA
    August, 2019
  • Fingerprinting users on the web. The good, the bad and the ugly.
    P0SCON 2018 Conference, Urmia University of Technology
    August, 2018
  • Penetration Testing Methods for Android Applications
    1st Offseconf Conference, Khaje Nasir Toosi University
    November, 2016
  • Ransomware Threats and Mitigation Techniques
    5th Annual Conference on E-Banking and Payment Systems
    January, 2016

Service

Reviewer for Transactions on the Web Journal (2021)
OWASP Global AppSec San Francisco 2020 Review Committee
Usenix Security 2020 Artifact Evaluation Committee
IEEE S&P'20 Poster Review Committee
External Reviewer at MADWeb 2020
External Reviewer at DIMVA'19
IEEE S&P 2020 Shadow PC
IMC 2019, Shadow PC
NECCDC 2020 Proctor

EDUCATION AND EXPERIENCE

Work Experience

Software Engineer Intern.

Cloudflare ( San Fransisco, US ) 2021 - 2021
I worked with the Bot Management team at Cloudflare as an intern for the summer of 2021. My focus was to build fingerprinting methods for emerging web protocols to detect bot traffic.

Software Engineer Intern.

Cloudflare ( San Fransisco, US ) 2020 - 2020
I worked with the Bot Management team at Cloudflare as an intern for the summer of 2020. My focus was on bots that target Cloudflare. I implemented a scalable red teaming platform that automated bot attacks against the Bot Management platform.

Research Assistant

PragSec Lab, Stony Brook University ( Stony Brook, NY, USA ) 2018 - Present

Teaching Assistant

Stony Brook University ( Stony Brook, NY, USA ) 2017 - 2018

Cyber Security Analyst, Incident Response Team

Kashef Banking Security Governance ( Tehran, Iran ) 2014 - 2016
Website Monitoring and Deface Detection Service:
In this project an application was developed to monitor national banks’ websites and alert the CSIRT team if a downtime or a deface takes place. Important features of this application includes:
  • Monitoring Script addition to the page
  • Monitoring redirection to another domain
  • Checking for addition of specific words to pages
  • Checking for change in the HTML source of website greater than a predefined threshold
  • Monitoring DNS records status
  • Monitoring WHOIS entry changes and expiration
  • Integration with Qualys SSL Labs to produce reports about SSL configuration
Banking Websites’ SSL Configuration Report and Hardening Guide:
This project spanned over 35 national banks’ internet banking websites, SSL protocol configuration of these sites was studied, factors like security against SSL vulnerabilities (Heartbleed, POODLE, FREAK, LogJam etc.), certificate signature algorithm and cipher suites negotiated with clients were taken into consideration and a hardening report was delivered to their admins to address the issues.
Mobile Banking Software Security Report and Secure Android Development Guide:
The android version of mobile banking applications of 35 national banks was studied, features like secure software distribution, frequent updates, tamper detection and integrity verification, secure communication channel to the server, cryptographic protocols, insecure data storage and presence of source code protection was tested, during this study several high impact vulnerabilities were found and reported. Lastly, a secure android development guide was produced to address common pitfalls in applications tested during this study.

Freelance Web Developer

Ontech Solutions ltd., United Kingdom (Remote) ( United Kingdom ) 2013 - 2016
Our task at Ontech was to upgrade a legacy, windows based sector specific ERP software to a multi user, web based application, this was a web development project but due to abundance of features it had, the design and implementation of it was quite a challenge.

PhD in Computer Science

Stony Brook University ( Stony Brook, NY, US ) 2017 - 2022 (Expected)

BSc in Software Engineering

Shahid Beheshti University ( Tehran, Iran ) 2010 - 2015

Create in 2022 | Resume CV WordPress Plugin by wpamanuke