Prof. Dr. Martin Johns

Email: mj at martinjohns dot com
Tel: +49 - (0)531-391-7466
Fax: +49 - (0)531-391-8111

Office Address

TU Braunschweig
Institute for Application Security
Mühlenpfordtstr. 23
38106 Braunschweig, Germany
[web]

Links

Publications

Malte Wessels, Simon Koch, Giancarlo Pellegrino, Martin Johns: SSRF vs Developers: A Study of SSRF-Defenses in PHP Applications in 33rd USENIX Security Symposium (Usenix Sec'24), August 2024 (to appear)
Robin Kirchner, Jonas Möller, Marius Musch, David Klein, Konrad Rieck, Martin Johns: Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting in 33rd USENIX Security Symposium (Usenix Sec'24), August 2024 (to appear)
Robin Kirchner, Simon Koch, Noah Kamangar, David Klein, Martin Johns: A Black-Box Privacy Analysis of Messaging Service Providers’ Chat Message Processing in Proceedings on Privacy Enhancing Technologies (PoPETS'24), July 2024 (to appear)
Soumaya Boussaha, Lukas Hock, Miguel Bermejo, Ruben Cuevas Rumin, Angel Cuevas Rumin, David Klein, Martin Johns, Luca Compagna, Daniele Antonioli, Thomas Barber: FP-tracer: Fine-grained Browser Fingerprinting Detection via Taint-tracking and Multi-level Entropy-based Thresholds in Proceedings on Privacy Enhancing Technologies (PoPETS'24), July 2024 (to appear)
David Klein, Martin Johns: Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials in 45th IEEE Symposium on Security and Privacy (IEEE S&P'24), May 2024 (pdf)
Simon Koch, David Klein, Martin Johns: The Fault in Our Stars: An Analysis of GitHub Stars as an Importance Metric for Web Source Code in Workshop on Measurements, Attacks, and Defenses for the Web (MadWeb'24), February 2024 (pdf)
David Klein, Benny Rolle, Thomas Barber, Manuel Karl, Martin Johns: General Data Protection Runtime: Enforcing Transparent GDPR Compliance for Existing Applications in 30th ACM Conference on Computer and Communications Security (CCS'23), November 2023 (pdf, bib)
Simon Koch, Benjamin Altpeter, Martin Johns: The OK is not enough: Large Scale Study of Consent Dialogs in Smartphone Applications in 32nd USENIX Security Symposium (Usenix Sec'23), August 2023 (pdf, bib)
Samuel Groß, Simon Koch, Lukas Bernhard, Thorsten Holz, Martin Johns: FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities in Network and Distributed Systems Security Symposium (NDSS'23), February 2023 (pdf, bib)
David Klein, Marius Musch, Thomas Barber, Moritz Kopmann, Martin Johns: Accept All Exploits: Exploring the Security Impact of Cookie Banners in 37th Annual Computer Security Applications Conference (ACSAC'22), December 2022 (pdf, bib)
Manuel Karl, Marius Musch, Guoli Ma, Martin Johns, Sebastian Lekies: No Keys to the Kingdom Required: A Comprehensive Investigation of Missing Authentication Vulnerabilities in the Wild in 22nd Internet Measurement Conference (IMC'22), October 2022 (pdf, bib)
Simon Koch, Malte Wessels, Benjamin Altpeter, Madita Olvermann, Martin Johns: Keeping Privacy Labels Honest: Developer conformity to self declared data collection via Apple Privacy Labels in Proceedings on Privacy Enhancing Technologies (PoPETS'22), July 2022 (pdf, bib)
David Klein, Thomas Barber, Souphiane Bensalim, Ben Stock, Martin Johns: Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions in 7th IEEE European Symposium on Security and Privacy (EuroSP'22), June 2022 (pdf, bib)
Marius Musch, Robin Kirchner, Max Boll, and Martin Johns: Server-Side Browsers: Exploring the Web’s Hidden Attack Surface in Proc. of the 17th ACM Asia Conference on Computer and Communications Security (AsiaCCS'22), May 2022 (pdf, bib)
Marius Musch, Martin Johns: U Can’t Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild in 30th USENIX Security Symposium (Usenix Sec'21), August 2021 (pdf, bib)
Alexandra Dirksen, David Klein, Robert Michael, Tilman Stehr, Konrad Rieck, Martin Johns: LogPicker: Strengthening Certificate Transparency Against Covert Adversaries in Proceedings on Privacy Enhancing Technologies (PoPETS'21), July 2021 (pdf, bib)
Souphiane Bensalim, David Klein, Thomas Barber, Martin Johns: Talking About My Generation: Targeted DOM-based XSS Exploit Generation using Dynamic Data Flow Analysis in Proceedings of the 14th European Workshop on Systems Security (EuroSec'21), April 2021 (pdf, bib)
Marius Steffens, Marius Musch, Martin Johns, Ben Stock: Who’s Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI in Network and Distributed Systems Security Symposium (NDSS 21), February 2021 (pdf, bib)
Martin Johns, Alexandra Dirksen: Towards Enabling Secure Web-based Cloud Services using Client-side Encryption in ACM Workshop on Cloud Computing Security (CCSW'20), 2020 (pdf, bib)
Erwin Quiring, David Klein, Daniel Arp, Martin Johns, Konrad Rieck: Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning in 29th USENIX Security Symposium (Usenix Sec 20), August 2020 (pdf, bib)
Simon Koch, Tim Sauer, Martin Johns, Giancarlo Pellegrino: Raccoon: Automated Verification of Guarded Race Conditions in Web Applications in 35th ACM/SIGAPP Symposium on Applied Computing (ACM SAC 20), March 2020 (pdf, bib)
Florian D. Loch, Martin Johns, Martin Hecker, Martin Mohr, Gregor Snelting: Hybrid Taint Analysis for Java EE in 35th ACM/SIGAPP Symposium on Applied Computing (ACM SAC 20), March 2020 (pdf, bib)
Marius Musch, Christian Wressnegger, Martin Johns, Konrad Rieck: Thieves in the Browser: Web-based Cryptojacking in the Wild in 14th Int. Conference on Availability, Reliability and Security (ARES 19), August 2019 (pdf, bib)
Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, and Martin Johns: ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices, in ACM Asia Conference on Computer and Communications Security (ASIACCS’19), July 2019 (pdf).
Marius Musch, Christian Wressnegger, Martin Johns, Konrad Rieck: New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild in 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '19), June 2019 (pdf, bib)
Marius Steffens, Christian Rossow, Martin Johns, Ben Stock: Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild, in Network and Distributed System Security Symposium (NDSS'19), February 2019 (pdf)
Marius Musch, Martin Härterich, Martin Johns: Towards an Automatic Generation of Low-Interaction Web Application Honeypots, in 13th Int. Conference on Availability, Reliability and Security (ARES'18), 2018 (pdf).
Sebastian Lekies, Krzysztof Kotowicz, Samuel Groß, Eduardo Vela, Martin Johns: Code-reuse attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets, in 24th ACM Conference on Computer and Communications Security, 2017 (CCS 2017), November 2017 (pdf)
Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, Christian Rossow: Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs, in 24th ACM Conference on Computer and Communications Security, 2017 (CCS 2017), November 2017 (pdf)
Ben Stock, Martin Johns, Marius Steffens and Michael Backes: How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security, in 26th USENIX Security Symposium (USENIX Security '17), August 2017 (pdf)
Michael Felderer, Mathias Büchler, Martin Johns, Achim Brucker, Ruth Breu, Alexander Pretschner: Security Testing: A Survey, in Ali Hurson, Atif Memon, editors: Advances in Computers, Vol 101, ADCOM, UK: Academic Press, 2016, pp. 1-51.
Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns and Michael Backes: Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification, in 25th USENIX Security Symposium (USENIX Security '16), August 2016 (pdf)
Willem De Groef, Deepak Subramanian, Martin Johns, Frank Piessens and Lieven Desmet: Ensuring Endpoint Authenticity in WebRTC Peer-to-peer Communication, in 31st ACM/SIGAPP Symposium on Applied Computing (SAC 2016), April 2016 (pdf).
Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns: From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 (pdf).
Sebastian Lekies, Ben Stock, Martin Wenzel and Martin Johns: The Unexpected Dangers of Dynamic JavaScript, in 24th USENIX Security Symposium (USENIX Security '15), August 2015 (pdf).
Bastian Braun, Korbinian Pauli, Joachim Posegga and Martin Johns. LogSec: Adaptive Protection for the Wild Wild Web, in 30th ACM/SIGAPP Symposium on Applied Computing (SAC 2015), April 2015.
Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel und Martin Johns: Precise Client-side Protection against DOM-based Cross-Site Scripting, in 23rd USENIX Security Symposium (USENIX Security '14), August 2014 (pdf).
Martin Johns: Script-Templates for the Content Security Policy, Journal of Information Security and Applications, Volume 19 Issue 3, Elsevier, July 2014 (pdf).
Bastian Braun, Johannes Köstler, Joachim Posegga und Martin Johns: A Trusted UI for the Mobile Web, in 29th IFIP International Information Security and Privacy Conference (IFIP SEC 2014), Juni 2014 (pdf).
Ben Stock, Martin Johns: Protecting Users Against XSS-based Password Manager Abuse, in 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2014), Juni 2014 (pdf).
Ben Stock, Sebastian Lekies, Martin Johns: DOM-basiertes Cross-Site Scripting im Web: Reise in ein unerforschtes Land, in 6th conference on "Sicherheit, Schutz und Zuverlässigkeit" (GI Sicherheit’14), Lecture Notes in Informatics (LNI), März 2014.
Bastian Braun, Martin Johns, Johannes Köstler, and Joachim Posegga. PhishSafe: Leveraging Modern JavaScript APIs for Transparent and Robust Protection. In Fourth ACM Conference on Data and Application Security and Privacy (ACM CODASPY 2014), March 2014 (pdf).
Sebastian Lekies, Ben Stock, Martin Johns: 25 Million Flows Later - Large-scale Detection of DOM-based XSS, in 20th ACM Conference on Computer and Communications Security (ACM CCS'13), November 2013 (pdf)
Martin Johns, Sebastian Lekies: Tamper-resistant LikeJacking Protection, in 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'13), October 2013 (pdf)
Martin Johns, Sebastian Lekies, Ben Stock: Eradicating DNS Rebinding with the Extended Same-Origin Policy, in 22nd USENIX Security Symposium (USENIX Security '13), August 2013 (pdf)
Martin Johns: PreparedJS: Secure Script-Templates for JavaScript, in 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '13), July 2013 (pdf)
Martin Johns, Sebastian Lekies, Bastian Braun, and Benjamin Flesch: BetterAuth: Web Authentication Revisited, in 28th Annual Computer Security Applications Conference (ACSAC '12), December 2012 (pdf)
Sebastian Lekies, Nick Nikiforakis, Walter Tighzert, Frank Piessens, and Martin Johns: DEMACRO: Defense against Malicious Cross-domain Requests. In 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'12), September 2012 (pdf)
Bastian Braun, Stefan Kucher, Martin Johns, and Joachim Posegga: A User-level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities. In 9th International Conference on Trust, Privacy, and Security in Digital Business (TrustBus '12), September 2012
Sebastian Lekies, Mario Heiderich, Dennis Appelt, Thorsten Holz, and Martin Johns: On the fragility and limitations of current Browser-provided Clickjacking protection schemes, in 6th USENIX Workshop on Offensive Technologies (WOOT '12), August 2012 (pdf)
Sebastian Lekies and Martin Johns: Lightweight Integrity Protection for Web Storage Content Caching. In 6th Workshop on Web 2.0 Security and Privacy (W2SP 2012), May 2012 (pdf)
Martin Johns: HTML5-Security - Sicherer Umgang mit den neuen JavaScript APIs. In Datenschutz und Datensicherheit, 36(4): 231-235, April 2012
Anke Weidlich, Harald Vogt, Wolfgang Krauss, Patrik Spiess, Marek Jawurek, Martin Johns, and Stamatis Karnouskos: Decentralized intelligence in energy efficient power systems. In A. Sorokin et al., editors, Handbook of networks in power systems, ISBN 978-3-642-23192-6, Springer, 2012
Sebastian Lekies, Walter Tighzert, Martin Johns: Towards stateless, client-side driven Cross-Site Request Forgery protection for Web applications, in in 5th conference on "Sicherheit, Schutz und Zuverlässigkeit" (GI Sicherheit 2012), Lecture Notes in Informatics (LNI), March 2012 (pdf)
Marek Jawurek, Martin Johns, and Konrad Rieck: Smart Metering De-Pseudonymization, in 27th Annual Computer Security Applications Conference (ACSAC 2011), December 2011 (pdf)
Martin Johns, Sebastian Lekies: Biting the Hand That Serves You: A closer look at client-side Flash proxies for cross-domain requests. In 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2011), July 2011 (pdf)
Marek Jawurek, Martin Johns, Florian Kerschbaum: Plug-in privacy for Smart Metering billing. In 11th Privacy Enhancing Technologies Symposium (PETS 2011), July 2011 (pdf)
Martin Johns: Code-injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting. it - Information Technology 53(5): 256-259, May 2011 (pdf)
Sebastian Lekies, Martin Johns, Walter Tighzert: The State of the Cross-domain Nation. In 5th workshop on Web 2.0 Security and Privacy (W2SP 2011), May 2011 (pdf)
Nick Nikiforakis, Wouter Joosen, Martin Johns: Abusing Locality in Shared Web Hosting. In 4th European Workshop on System Security (EUROSEC'11), April 2011 (pdf)
Martin Johns, Moritz Jodeit: Scanstud: A Methodology for Systematic, Fine-grained Evaluation of Static Analysis Tools, in Second International Workshop on Security Testing (SECTEST'11), March 2011 (pdf)
Martin Johns, Bastian Braun, Michael Schrank, Joachim Posegga: Reliable Protection Against Session Fixation Attacks, 26th ACM Symposium on Applied Computing (SAC 2011), Security Track, March 2011 (pdf)
Nick Nikiforakis, Wannes Meert, Yves Younan, Martin Johns, Wouter Joosen: SessionShield: Lightweight Protection against Session Hijacking, in 3rd International Symposium on Engineering Secure Software and Systems (ESSoS '11), February 2011 (pdf)
Moritz Jodeit, Martin Johns: USB Device Drivers: A Stepping Stone into your Kernel, in 6th European Conference on Computer Network Defense (EC2ND 2010), October 2010 (pdf)
Marek Jawurek, Martin Johns: Security Challenges of a Changing Energy Landscape. in Information Security Solutions Europe (ISSE 2010), Vieweg Verlag, October 2010 (pdf)
Michael Schrank, Bastian Braun, Martin Johns, Joachim Posegga: Session Fixation - the Forgotten Vulnerability?, in 5th conference on "Sicherheit, Schutz und Zuverlässigkeit" (GI Sicherheit 2010), Lecture Notes in Informatics (LNI), October 2010 (pdf)
Martin Johns, Christian Beyerlein, Rosemaria Giesecke, Joachim Posegga: Secure Code Generation for Web Applications, in 2nd International Symposium on Engineering Secure Software and Systems (ESSoS '10), LNCS 5965, Seiten 96 - 113, Springer, February 2010 (pdf)
Martin Johns, Bjoern Engelmann, Joachim Posegga: XSSDS: Server-side detection of cross-site scripting attacks. In 24th Annual Computer Security Applications Conference (ACSAC '08), pp. 335 - 344, IEEE Computer Society, December 2008 (pdf)
Martin Johns: On JavaScript Malware and related threats - Web page based attacks revisited. In Journal in Computer Virology, Volume 4, Number 3, pp. 161 - 178, Springer Paris, August 2008 (doi, pdf)
Martin Johns, Daniel Schreckling: Automatisierter Code-Audit - Sicherheitsanalyse von Source Code in Theorie und Praxis. In Datenschutz und Datensicherheit - DuD, Volume 31, Number 12, Vieweg Verlag, pp. 888-893, December 2007 (doi)
Martin Johns, Justus Winter: Protecting the Intranet Against "JavaScript Malware" and Related Attacks. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), Springer, LNCS 4579, pp. 40-59, July 2007 (pdf)
Martin Johns, Christian Beyerlein: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation. In 22nd ACM Symposium on Applied Computing (SAC 2007), Security Track, March 2007 (pdf)
Martin Johns: SessionSafe: Implementing XSS Immune Session Handling. In European Symposium on Research in Computer Security (ESORICS 2006), Springer, LNCS 4189, pp. 444-460, September 2006 (pdf)
Martin Johns, Justus Winter: RequestRodeo: Client Side Protection against Session Riding. In Proceedings of the OWASP Europe 2006 Conference, Report CW448, Departement Computerwetenschappen, KU Leuven, May 2006 (pdf)
Martin Johns: Pseudonyme Biometrik - Ein signaturbasierter Ansatz in Biometrics and Electronic Signatures (BIOSIG 2003), Lecture Notes in Informatics (LNI), P-31, July 2003 (paper)

Publications (invited / other)

Martin Johns, Nick Nikiforakis, Melanie Volkamer, John Wilander: Web Application Security (Dagstuhl Seminar 18321). Dagstuhl Reports 8(8): 1-17 (2018)
Alexandra Dirksen, Sebastian Gajek, Martin Johns, Robert Michael: Pretty Good Facebook Privacy - Securing users against a curious platform, Poster, 2nd IEEE European Symposium on Security and Privacy, 2017.
Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, Michael Backes: Mapping the Landscape of Large-Scale Vulnerability Notifications, Poster, ACM CCS 2016.
Philippe De Ryck, Lieven Desmet, Frank Piessens and Martin Johns: Primer on Client-Side Web Security, Book, Briefs in Computer Science, Springer, December 2014
Lieven Desmet, Martin Johns, Benjamin Livshits, Andrei Sabelfeld: Web Application Security (Dagstuhl Seminar 12401). Dagstuhl Reports 2(10): 1-37, 2012 (pdf)
Martin Johns and Joachim Posegga: WebSand: Server-Driven Outbound Web-Application Sandboxing. In 9th International Conference on Trust, Privacy, and Security in Digital Business (TrustBus'12), September 2012 (pdf)
Martin Johns: Code-injection Verwundbarkeiten in Web Anwendungen am Beispiel von Cross-site Scripting. In Ausgezeichnete Informatikdissertationen 2010, Lecture Notes in Informatics (LNI), Bonner Köllen Verlag, Darmstadt, Germany, 2010 (pdf)
Martin Johns: Session Hijacking Attacks. In the second edition of Encyclopedia of Cryptography and Security, Springer, 2010.
Isabel Thomas, Anke Weidlich, Martin Johns: IT-Gestützte Geschäftsprozesse in zukünftigen E-Mobility Szenarien. In VDE Kongress 2010 - E-Mobility, ISBN 978-3-8007-3304-0, Germany, 2010
Dan Boneh, Ulfar Erlingsson, Martin Johns, and Benjamin Livshits: Dagstuhl Seminar 09141: Web Application Security (Executive summary), Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany, 2009 (pdf)
Martin Johns: Kirk und Eine Hamburger Nacht. In Me, Making Funny Faces, Luftschacht Verlag, ISBN 978-3-902373-50-2, Wien, 2009
Martin Johns: A First Approach to Counter "JavaScript Malware" In Proceedings of the 23rd Chaos Communication Congress, Verlag Art d'Ameublement, Bielefeld, ISBN 978-3-934-63605-7, pages 160 - 167, December 2006 (pdf)

Theses

Martin Johns: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting, PhD Thesis, University of Passau, Germany, July 2009 (pdf).
Martin Johns: Anwendung von Wavelets für die biometrische Authentikation, Diploma (Master's) Thesis, University of Hamburg, Germany, February 2003 (pdf)

Talks

"Eavesdropping on WebRTC Communication with Funny Cat Pictures", Ruhrsec, 29. April 2016, Bochum, Germany
"Your Scripts in My Page - What Could Possibly Go Wrong?" (with Ben Stock and Sebastian Lekies), Black Hat Europe, 12th November 2015, Amsterdam, Netherlands
"Protecting your Web Application with Content Security Policy (CSP)", lightning training at OWASP AppSec USA, 24. September 2015, San Francisco, USA
"WebRTC, Or How Secure Is P2P Browser Communication?" (with Lieven Desmet), OWASP AppSec EU, 21th May 2015, Amsterdam, Netherlands
"Client-side protection against DOM-based XSS done right (tm)" (with Sebastian Lekies and Ben Stock), Black Hat Asia, 16. March 2015, Singapore (pdf)
"Session Identifier Are For Now, Passwords Are Forever - XSS-Based Abuse Of Browser Password Managers" (with Sebastian Lekies and Ben Stock), Black Hat Europe, 16. October 2014, Amsterdam, Netherlands
"Call To Arms: A Tale Of The Weaknesses Of Current Client-Side XSS Filtering" (with Sebastian Lekies and Ben Stock), Black Hat Briefings, 06. August 2014, Las Vegas, USA
"25 Million Flows Later – Large-scale Detection of DOM-based XSS" (with Sebastian Lekies and Ben Stock), OWASP AppSec EU 2014, 26.06.2014, Cambridge, UK
"Web Application Security", invited tutorial at the 6th International Symposium on Engineering Secure Software and Systems (ESSoS 2014), February 26th, 2014, Munich, Germany
"Relax Everybody: HTML5 Is Securer Than You Think", talk at the RSA Conference Europe'13, October 29-31 2013, Amsterdam, Netherlands
"Towards Server-driven Web Security“, invited talk at the Intel Research Conference (ERIC 2012), 23.10.2012, Barcelona, Spain
"Web Security – Are we there yet?“, keynote at the 2nd Dagstuhl Seminar on Web Application Security, 01.10.2012, Schloss Dagstuhl, Germany
"Clickjacking Protection Under Non-trivial Circumstances" and "Got Your Nose" (with Sebastian Lekies, Mario Heiderich, and Thorsten Holz), talks at the "WWWTF" Caro Workshop 2012, May 14-15 2012, Munich, Germany
"Security Pitfalls of client-side cross-domain HTTP requests", talk at the 19. DFN Workshop "Sicherheit in vernetzten Systemen", 22.02.2012, Hamburg, Germany
"Web Application Security testing as a tool for ongoing developer training", talk at the German Testing Day 2011, 9.11.2011, Frankfurt, Germany
"Biting the Hand That Serves You: A closer look at client-side Flash proxies for cross-domain requests", talk at the Gothenborg OWASP Kick-off, April 14th 2011, Gothenborg, Sweden
"The Mess We Are In - the Past, Present, and Future of Web Security", keynote at the 6th Workshop on Security and Trust Management (STM 2010), September 24th, Athens, Greece
"Session Fixation - the Forgotten Vulnerability?" (with Henrich C. Poehls, Michael Schrank, and Bastian Braun), OWASP Research 2010, June 23rd 2010, Stockholm, Sweden
"Cross-site requests - One mechanism, many attacks", talk given at the RUB HackPra, June 18th 2010, Bochum, Germany
"Cross-site requests and other offenders... " (slides) and "Secure Code Generation for Web Applications" (slides), both held at the Dagstuhl Seminar on Web Application Security, March/April 2009, Dagstuhl, Germany
"Secure Code Generation for Web Applications", talk given at Microsoft Research, December 15th 2008, Redmond, USA (slides)
"XSSDS und noXSS - Server- und Browser-basierte XSS Erkennung" (with Jeremias Reith), OWASP Germany Conference, November 25th 2008, Frankfurt, Germany (slides)
"Scanstud - Evaluating static analysis tools" (with Moritz Jodeit, Wolfgang Koeppl, and Martin Wimmer), OWASP AppSec 2008, May 22nd, 2008, Ghent, Belgium (slides)
"The three faces of CSRF", talk at the DeepSec2007 conference, November 23th 2007, Vienna, Austria (slides, video)
"Exploiting the Intranet with a Webpage", talk at the HITBSecConf2007 conference, September 3-6 2007, Kuala Lumpur, Malaysia (slides, video).
"CSRF, the Intranet and You" (with Justus Winter), talk at the 23C3, December 27-30 2006, Berlin, Germany (video)
"On CSRF and why you should care", talk at the PacSec 2006 conference, November 27-30 2006, Tokio, Japan (slides english/japanese).
"Using the same-origin policy to disarm XSS vulnerabilities", talk at ph-neutral 0x7d6, 27th May 2006, Berlin, Germany (slides)
"Finding and Preventing Buffer Overflows - An overview of static and dynamic approaches", talk at the 22C3, 27.12.2005, Berlin, Germany (slides, video)

Professional Activities

Board Member of the German OWASP Chapter (since 2012)
Member of organizing committees: ESORICS 2006 (workshop chair), German OWASP Day 2012 (pc co-chair), OWASP AppSec Research 2013 (pc co-chair), WASR 2013 (general chair), STRINT 2014, German OWASP Day 2014, 2015, 2016, 2017, 2018, 2019 & 2020 (pc chair), Dagstuhl Seminars on Web Application Security 2009, 2012 and 2018 (co-organizer)
Member of program committees: OWASP Europe 2007, NordSec 2007, OWASP Europe 2008, DIMVA 2008, OWASP Research 2010, W2SP 2010, EC2ND 2010, STM 2010, ESSoS 2011, DIMVA 2011, STM 2011, EC2ND 2011, W2SP 2011, ESSoS 2012, WWW 2012, WISTP 2012, EuroSec 2012, DIMVA 2012, ISC 2012, EuroSec 2013, DIMVA 2013, ESSoS 2014, IOT 2014, SETOP 2014, STM 2014, ESSoS 2015, ACM SAC 2015, OWASP Research 2015, ICWE 2015, IFIP SEC 2015, ICISS 2015, ACM CODASPY 2016, ESSoS 2016, IFIP SEC 2016, ACM SAC 2016, USENIX Security 2016, CODASPY 2017, ACM SAC 2017, IFIP SEC 2017, DIMVA 2017, EuroUSEC 2017, USENIX Security 2017, FPS 2017, ACSAC 2017, ACM SAC 2018, CODASPY 2018, ISSTA 2018, IEEE EuroS&P 2018, ACSAC 2018, ACM SAC 2019, CODASPY 2019, ICWE 2019, ACSAC 2019, ACM SAC 2020, CODASPY 2020, ICWE 2020, ACSAC 2020, IEEE EuroS&P 2020, WWW 2020, ACM SAC 2021, ACM CodaSpy 2021, ARES 2021, ACSAC 2021, WWW 2021, IEEE S&P 2022, IEEE EuroS&P 2022, CodaSpy 2022, ACM SAC 2022, WWW 2022, ARES 2022, ACSAC 2022, IEEE S&P 2023, WWW 2023, ACSAC 2023, IEEE EuroS&P 2024
Member of the CEPS Task Force on Critical Infrastructure Protection in the EU (2010)

Private