Martin Johns

Dr. Martin Johns

email martin johns
PGP: 2eb8 cf50 a0e2 5b6d 51ab d8ac 49be 5cef 9353 bba5

Tel: +49 40 42883 - 2654
Fax: +49 40 42883 - 2086

Office Addresses

SAP Research - CEC Karlsruhe
Vincenz-Priessnitz-Str. 1
D-76131 Karlsruhe, Germany
 [web]

Universität Passau
Innstr. 43
D-94032 Passau, Germany
 [web]

Links

Interests

  • Web Application Security
  • Software Security
  • Static Code Checking
  • Dynamic Code Securing
Publications
  • Martin Johns, Christian Beyerlein, Rosemaria Giesecke, Joachim Posegga: Secure Code Generation for Web Applications, in 2nd International Symposium on Engineering Secure Software and Systems (ESSoS '10), LNCS 5965, Seiten 96 - 113, Springer, February 2010 (pdf).
  • Martin Johns: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting, PhD Thesis, University of Passau, July 2009 (to appear).
  • Martin Johns, Bjoern Engelmann, Joachim Posegga: XSSDS: Server-side detection of cross-site scripting attacks, in 24th Annual Computer Security Applications Conference (ACSAC '08), pp. 335 - 344, IEEE Computer Society, December 2008 (pdf).
  • Martin Johns: On JavaScript Malware and related threats - Web page based attacks revisited, in Journal in Computer Virology, Volume 4, Number 3, pp. 161 - 178, Springer Paris, August 2008 (doi, pdf).
  • Malko Steinorth, Martin Johns: Zeitverläufe bei automatisierten Penetrationstests, 15. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2008 (pdf).
  • Martin Johns, Daniel Schreckling: Automatisierter Code-Audit - Sicherheitsanalyse von Source Code in Theorie und Praxis, in Datenschutz und Datensicherheit - DuD, Volume 31, Number 12, Vieweg Verlag, pp. 888-893, December 2007 (doi).
  • Martin Johns, Justus Winter: Protecting the Intranet Against "JavaScript Malware" and Related Attacks, in Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), B. M. Hämmerli and R. Sommer (ed.), Springer, LNCS 4579, pp. 40-59, July 2007 (pdf).
  • Martin Johns: Towards Practical Prevention of Code Injection Vulnerabilities on the Programming Language Level, Technical Report, number 279-07, University of Hamburg, May 2007 (pdf).
  • Martin Johns, Christian Beyerlein: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation, 22nd ACM Symposium on Applied Computing (SAC 2007), Security Track, Seoul, Korea, March 2007 (pdf).
  • Daniel Schreckling, Martin Johns, SVS Sectoolers: CISAT: Integration von sicherheitszentrierter statischer Analyse in den Enwicklungsprozess, 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2007 (pdf)
  • Martin Johns: A First Approach to Counter "JavaScript Malware" In Proceedings of the 23rd Chaos Communication Congress, Verlag Art d'Ameublement, Bielefeld, ISBN 978-3-934-63605-7, pages 160 - 167, December 2006 (pdf)
  • Martin Johns: SessionSafe: Implementing XSS Immune Session Handling in in European Symposium on Research in Computer Security (ESORICS 2006), Gollmann, D.; Meier, J. & Sabelfeld, A. (ed.), Springer, LNCS 4189, pp. 444-460, September 2006 (pdf).
  • Martin Johns, Justus Winter: RequestRodeo: Client Side Protection against Session Riding in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.), Report CW448, Departement Computerwetenschappen, Katholieke Universiteit Leuven, Belgium, May 2006 (pdf).
  • Martin Johns: Pseudonyme Biometrik - Ein signaturbasierter Ansatz in "BIOSIG 2003 - Biometrics and Electronic Signatures" by A. Brömme and C. Busch (Eds.), Lecture Notes in Informatics (LNI) P-31, Bonner Köllen Verlag, Darmstadt, Germany, July 2003 (paper, sildes)
Talks
  • "Session Fixation - the Forgotten Vulnerability?" (with Henrich C. Poehls, Michael Schrank, and Bastian Braun), OWASP Research 2010, June 23rd 2010, Stockholm, Sweden
  • "Cross-site requests - One mechanism, many attacks", talk given at the RUB Hackerpraktikum, June 18th 2010, Bochum, Germany
  • "Cross-site requests and other offenders... " (slides) and "Secure Code Generation for Web Applications" (slides), both held at the Dagstuhl Seminar on Web Application Security, March/April 2009, Dagstuhl, Germany
  • "Secure Code Generation for Web Applications", talk given at Microsoft Research, December 15th 2008, Redmond, USA (slides)
  • "XSSDS und noXSS - Server- und Browser-basierte XSS Erkennung" (with Jeremias Reith), OWASP Germany Conference, November 25th 2008, Frankfurt, Germany (slides)
  • "Scanstud - Evaluating static analysis tools" (with Moritz Jodeit, Wolfgang Koeppl, and Martin Wimmer), OWASP AppSec 2008, May 22nd, 2008, Ghent, Belgium (slides)
  • "The three faces of CSRF", talk at the DeepSec2007 conference, November 23th 2007, Vienna, Austria (slides, video)
  • "Exploiting the Intranet with a Webpage", talk at the HITBSecConf2007 conference, September 3-6 2007, Kuala Lumpur, Malaysia (slides, video).
  • "Towards vulnerability prevention in web applications via data/code separation", talk at the Fraunhofer First Kolloquium, June 20th 2007, Berlin, Germany (slides)
  • "Cross Site Scripting (XSS) und Session Riding (CSRF): Angriffe auf Web-Session Management - Ursachen, Konsequenzen, Gegenmaßnahmen", talk at the IICO-Congress, May 9-11 2007, Berlin, Germany
  • "CSRF, the Intranet and You" (with Justus Winter), talk at the 23C3, December 27-30 2006, Berlin, Germany (video)
  • "On CSRF and why you should care", talk at the PacSec 2006 conference, November 27-30 2006, Tokio, Japan (slides english/japanese).
  • "Using the same-origin policy to disarm XSS vulnerabilities", talk at ph-neutral 0x7d6, 27th May 2006, Berlin, Germany (slides)
  • "Softwaresicherheit - Eine Forschungsperspektive" (with Joachim Posegga), talk at the Frühjahrstreffen der GI-Fachgruppe Datenbanken, 06.04.2006
  • "Finding and Preventing Buffer Overflows - An overview of static and dynamic approaches", talk at the 22C3, 27.12.2005, Berlin, Germany (slides, video)

Professional Activities

Private