Martin Johns: On JavaScript Malware and related threats - Web page based attacks revisited, in Journal in Computer Virology, Springer Paris, December 2007 (doi).
Martin Johns, Daniel Schreckling: Automatisierter Code-Audit - Sicherheitsanalyse von Source Code in Theorie und Praxis, in Datenschutz und Datensicherheit - DuD, Volume 31, Number 12, Vieweg Verlag, pp. 888-893, December 2007 (doi).
Martin Johns, Justus Winter: Protecting the Intranet Against "JavaScript Malware" and Related Attacks,
in Detection of Intrusions and Malware & Vulnerability Assessment
(DIMVA 2007), B. M. Hämmerli and R. Sommer (ed.), Springer, LNCS 4579,
pp. 40-59, July 2007 (paper).
Martin Johns: Towards Practical Prevention of Code Injection Vulnerabilities on the Programming Language Level, Technical Report, number 279-07, University of Hamburg, May 2007 (paper).
Martin Johns, Christian Beyerlein: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation, 22nd ACM Symposium on Applied Computing (SAC 2007), Security Track, Seoul, Korea, March 2007 (paper).
Daniel Schreckling, Martin Johns, SVS Sectoolers: CISAT: Integration von sicherheitszentrierter
statischer Analyse in den Enwicklungsprozess, 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2007 (paper)
Martin Johns: SessionSafe: Implementing XSS Immune Session Handling
in in European Symposium on Research in Computer Security (ESORICS
2006), Gollmann, D.; Meier, J. & Sabelfeld, A. (ed.), Springer,
LNCS 4189, pp. 444-460, September 2006 (paper, slides, bibtex).
Martin Johns, Justus Winter: RequestRodeo: Client Side Protection against Session Riding
in Proceedings of the OWASP Europe 2006 Conference by Piessens, F.
(ed.), Report CW448, Departement Computerwetenschappen, Katholieke
Universiteit Leuven, Belgium, May 2006 (paper, slides, bibtex).
Talks
"Scanstud - Evaluating static analysis tools" (with Moritz Jodeit, Wolfgang Koeppl, and Martin Wimmer), OWASP AppSec 2008, May 22nd, 2008, Ghent, Belgium
"The three faces of CSRF", talk at the DeepSec2007 conference, November 23th 2007, Vienna, Austria (slides)
"Exploiting the Intranet with a Webpage", talk at the HITBSecConf2007 conference, September 3-6 2007, Kuala Lumpur, Malaysia (to appear).
"Towards vulnerability prevention in web applications via data/code separation", talk at the Fraunhofer First Kolloqium, June 20th 2007, Berlin, Germany
"Cross
Site Scripting (XSS) und Session Riding (CSRF): Angriffe auf
Web-Session Management - Ursachen, Konsequenzen, Gegenmaßnahmen", talk
at the IICO-Congress, May 9-11 2007, Berlin, Germany (to appear).
"CSRF, the Intranet and You" (with Justus Winter), talk at the 23C3,
December 27-30 2006, Berlin, Germany (to appear).
"On CSRF and why you should care", talk at the PacSec 2006 conference, November 27-30 2006, Tokio, Japan (slides english/japanese).
"Using the same-origin policy to disarm XSS vulnerabilities", talk at
ph-neutral 0x7d6, 27th May 2006, Berlin, Germany (slides)
"Finding and Preventing Buffer Overflows - An overview of static and dynamic approaches", talk at the 22C3,
27.12.2005, Berlin, Germany
(slides, video)
Professional Activities
Member of organizing committees: ESORICS 2006 (workshop chair)
