Links

• WebSand
• LinkedIn profile
• Xing profile

Research Interests

• Web Application Security
• Software Security
• Static Code Checking
• Dynamic Code Securing

Publications

• Martin Johns, Sebastian Lekies, and Ben Stock: Eradicating DNS Rebinding with the Extended Same-Origin Policy, in 22nd USENIX Security Symposium (USENIX Security '13) August 2013 (to appear)
• Martin Johns: PreparedJS: Secure Script-Templates for JavaScript, in 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '13), July 2013 (to appear)
• Martin Johns, Sebastian Lekies, Bastian Braun, and Benjamin Flesch: BetterAuth: Web Authentication Revisited, in 28th Annual Computer Security Applications Conference (ACSAC '12), December 2012 (pdf)
• Sebastian Lekies, Nick Nikiforakis, Walter Tighzert, Frank Piessens, and Martin Johns: DEMACRO: Defense against Malicious Cross-domain Requests. In 15th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'12), September 2012 (pdf)
• Bastian Braun, Stefan Kucher, Martin Johns, and Joachim Posegga: A User-level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities. In 9th International Conference on Trust, Privacy, and Security in Digital Business (TrustBus '12), September 2012 (to appear)
• Se­bas­ti­an Le­kies, Mario Hei­de­rich, Den­nis Ap­pelt, Thors­ten Holz, and Mar­tin Johns: On the fragility and limitations of current Browser-provided Clickjacking protection schemes, in 6th USE­NIX Work­shop on Of­fen­si­ve Tech­no­lo­gies (WOOT '12), August 2012 (pdf)
• Sebastian Lekies and Martin Johns: Lightweight Integrity Protection for Web Storage Content Caching. In 6th Workshop on Web 2.0 Security and Privacy (W2SP 2012), May 2012 (pdf)
• Martin Johns: HTML5-Security - Sicherer Umgang mit den neuen JavaScript APIs. In Datenschutz und Datensicherheit, 36(4): 231-235, April 2012
• Anke Weidlich, Harald Vogt, Wolfgang Krauss, Patrik Spiess, Marek Jawurek, Martin Johns, and Stamatis Karnouskos: Decentralized intelligence in energy efficient power systems. In A. Sorokin et al., editors, Handbook of networks in power systems, ISBN 978-3-642-23192-6, Springer, 2012 (in Press)
• Sebastian Lekies, Walter Tighzert, Martin Johns: Towards stateless, client-side driven Cross-Site Request Forgery protection for Web applications, in in 5th conference on "Sicherheit, Schutz und Zuverlässigkeit" (GI Sicherheit 2012), Lecture Notes in Informatics (LNI), March 2012 (pdf)
• Marek Jawurek, Martin Johns, and Konrad Rieck: Smart Metering De-Pseudonymization, in 27th Annual Computer Security Applications Conference (ACSAC 2011), December 2011 (pdf)
• Martin Johns, Sebastian Lekies: Biting the Hand That Serves You: A closer look at client-side Flash proxies for cross-domain requests. In 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2011), July 2011 (pdf)
• Marek Jawurek, Martin Johns, Florian Kerschbaum: Plug-in privacy for Smart Metering billing. In 11th Privacy Enhancing Technologies Symposium (PETS 2011), July 2011 (pdf)
• Martin Johns: Code-injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting. it - Information Technology 53(5): 256-259, May 2011 (pdf)
• Sebastian Lekies, Martin Johns, Walter Tighzert: The State of the Cross-domain Nation. In 5th workshop on Web 2.0 Security and Privacy (W2SP 2011), May 2011 (pdf)
• Nick Nikiforakis, Wouter Joosen, Martin Johns: Abusing Locality in Shared Web Hosting. In 4th European Workshop on System Security (EUROSEC'11), April 2011 (pdf)
• Martin Johns, Moritz Jodeit: Scanstud: A Methodology for Systematic, Fine-grained Evaluation of Static Analysis Tools, in Second International Workshop on Security Testing (SECTEST'11), March 2011 (pdf)
• Martin Johns, Bastian Braun, Michael Schrank, Joachim Posegga: Reliable Protection Against Session Fixation Attacks, 26th ACM Symposium on Applied Computing (SAC 2011), Security Track, March 2011 (pdf)
• Nick Nikiforakis, Wannes Meert, Yves Younan, Martin Johns, Wouter Joosen: SessionShield: Lightweight Protection against Session Hijacking, in 3rd International Symposium on Engineering Secure Software and Systems (ESSoS '11), February 2011 (pdf)
• Moritz Jodeit, Martin Johns: USB Device Drivers: A Stepping Stone into your Kernel, in 6th European Conference on Computer Network Defense (EC2ND 2010), October 2010 (pdf)
• Marek Jawurek, Martin Johns: Security Challenges of a Changing Energy Landscape. in Information Security Solutions Europe (ISSE 2010), Vieweg Verlag, October 2010 (pdf)
• Michael Schrank, Bastian Braun, Martin Johns, Joachim Posegga: Session Fixation - the Forgotten Vulnerability?, in 5th conference on "Sicherheit, Schutz und Zuverlässigkeit" (GI Sicherheit 2010), Lecture Notes in Informatics (LNI), October 2010 (pdf)
• Martin Johns, Christian Beyerlein, Rosemaria Giesecke, Joachim Posegga: Secure Code Generation for Web Applications, in 2nd International Symposium on Engineering Secure Software and Systems (ESSoS '10), LNCS 5965, Seiten 96 - 113, Springer, February 2010 (pdf)
• Martin Johns, Bjoern Engelmann, Joachim Posegga: XSSDS: Server-side detection of cross-site scripting attacks. In 24th Annual Computer Security Applications Conference (ACSAC '08), pp. 335 - 344, IEEE Computer Society, December 2008 (pdf)
• Martin Johns: On JavaScript Malware and related threats - Web page based attacks revisited. In Journal in Computer Virology, Volume 4, Number 3, pp. 161 - 178, Springer Paris, August 2008 (doi, pdf)
• Malko Steinorth, Martin Johns: Zeitverläufe bei automatisierten Penetrationstests. In 15. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", February 2008 (pdf)
• Martin Johns, Daniel Schreckling: Automatisierter Code-Audit - Sicherheitsanalyse von Source Code in Theorie und Praxis. In Datenschutz und Datensicherheit - DuD, Volume 31, Number 12, Vieweg Verlag, pp. 888-893, December 2007 (doi)
• Martin Johns, Justus Winter: Protecting the Intranet Against "JavaScript Malware" and Related Attacks. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), Springer, LNCS 4579, pp. 40-59, July 2007 (pdf)
• Martin Johns, Christian Beyerlein: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation. In 22nd ACM Symposium on Applied Computing (SAC 2007), Security Track, March 2007 (pdf)
• Daniel Schreckling, Martin Johns, SVS Sectoolers: CISAT: Integration von sicherheitszentrierter statischer Analyse in den Enwicklungsprozess. In 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", February 2007 (pdf)
• Martin Johns: SessionSafe: Implementing XSS Immune Session Handling. In European Symposium on Research in Computer Security (ESORICS 2006), Springer, LNCS 4189, pp. 444-460, September 2006 (pdf)
• Martin Johns, Justus Winter: RequestRodeo: Client Side Protection against Session Riding. In Proceedings of the OWASP Europe 2006 Conference, Report CW448, Departement Computerwetenschappen, KU Leuven, May 2006 (pdf)
• Martin Johns: Pseudonyme Biometrik - Ein signaturbasierter Ansatz in Biometrics and Electronic Signatures (BIOSIG 2003), Lecture Notes in Informatics (LNI), P-31, July 2003 (paper, sildes)

Publications (invited / other)

• Lieven Desmet, Martin Johns, Benjamin Livshits, Andrei Sabelfeld: Web Application Security (Dagstuhl Seminar 12401). Dagstuhl Reports 2(10): 1-37, 2012 (pdf)
• Martin Johns and Joachim Posegga: WebSand: Server-Driven Outbound Web-Application Sandboxing. In 9th International Conference on Trust, Privacy, and Security in Digital Business (TrustBus'12), September 2012 (pdf)
• Martin Johns: Code-injection Verwundbarkeiten in Web Anwendungen am Beispiel von Cross-site Scripting. In Ausgezeichnete Informatikdissertationen 2010, Lecture Notes in Informatics (LNI), Bonner Köllen Verlag, Darmstadt, Germany, 2010 (pdf)
• Martin Johns: Session Hijacking Attacks. In the second edition of Encyclopedia of Cryptography and Security, Springer, 2010.
• Isabel Thomas, Anke Weidlich, Martin Johns: IT-Gestützte Geschäftsprozesse in zukünftigen E-Mobility Szenarien. In VDE Kongress 2010 - E-Mobility, ISBN 978-3-8007-3304-0, Germany, 2010
• Dan Boneh, Ulfar Erlingsson, Martin Johns, and Benjamin Livshits: Dagstuhl Seminar 09141: Web Application Security (Executive summary), Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany, 2009 (pdf)
• Martin Johns: Kirk und Eine Hamburger Nacht. In Me, Making Funny Faces, Luftschacht Verlag, ISBN 978-3-902373-50-2, Wien, 2009
• Martin Johns: A First Approach to Counter "JavaScript Malware" In Proceedings of the 23rd Chaos Communication Congress, Verlag Art d'Ameublement, Bielefeld, ISBN 978-3-934-63605-7, pages 160 - 167, December 2006 (pdf)

Theses

• Martin Johns: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting, PhD Thesis, University of Passau, Germany, July 2009 (pdf).
• Martin Johns: Anwendung von Wavelets für die biometrische Authentikation, Diploma (Master's) Thesis, University of Hamburg, Germany, February 2003 (pdf)

Talks

• "Towards Server-driven Web Security“, invited talk at the Intel Research Conference (ERIC 2012), 23.10.2012, Barcelona, Spain
• "Web Security – Are we there yet?“, keynote at the 2nd Dagstuhl Seminar on Web Application Security, 01.10.2012, Schloss Dagstuhl, Germany
• "Clickjacking Protection Under Non-trivial Circumstances" and "Got Your Nose" (with Sebastian Lekies, Mario Heiderich, and Thorsten Holz), talks at the "WWWTF" Caro Workshop 2012, May 14-15 2012, Munich, Germany
• "Security Pitfalls of client-side cross-domain HTTP requests", talk at the 19. DFN Workshop "Sicherheit in vernetzten Systemen", 22.02.2012, Hamburg, Germany
• "Web Application Security testing as a tool for ongoing developer training", talk at the German Testing Day 2011, 9.11.2011, Frankfurt, Germany
• "Biting the Hand That Serves You: A closer look at client-side Flash proxies for cross-domain requests", talk at the Gothenborg OWASP Kick-off, April 14th 2011, Gothenborg, Sweden
• "The Mess We Are In - the Past, Present, and Future of Web Security", Keynote at the 6th Workshop on Security and Trust Management (STM 2010), September 24th, Athens, Greece
• "Session Fixation - the Forgotten Vulnerability?" (with Henrich C. Poehls, Michael Schrank, and Bastian Braun), OWASP Research 2010, June 23rd 2010, Stockholm, Sweden
• "Cross-site requests - One mechanism, many attacks", talk given at the RUB Hackerpraktikum, June 18th 2010, Bochum, Germany
• "Cross-site requests and other offenders... " (slides) and "Secure Code Generation for Web Applications" (slides), both held at the Dagstuhl Seminar on Web Application Security, March/April 2009, Dagstuhl, Germany
• "Secure Code Generation for Web Applications", talk given at Microsoft Research, December 15th 2008, Redmond, USA (slides)
• "XSSDS und noXSS - Server- und Browser-basierte XSS Erkennung" (with Jeremias Reith), OWASP Germany Conference, November 25th 2008, Frankfurt, Germany (slides)
• "Scanstud - Evaluating static analysis tools" (with Moritz Jodeit, Wolfgang Koeppl, and Martin Wimmer), OWASP AppSec 2008, May 22nd, 2008, Ghent, Belgium (slides)
• "The three faces of CSRF", talk at the DeepSec2007 conference, November 23th 2007, Vienna, Austria (slides, video)
• "Exploiting the Intranet with a Webpage", talk at the HITBSecConf2007 conference, September 3-6 2007, Kuala Lumpur, Malaysia (slides, video).
• "Towards vulnerability prevention in web applications via data/code separation", talk at the Fraunhofer First Kolloquium, June 20th 2007, Berlin, Germany (slides)
• "Cross Site Scripting (XSS) und Session Riding (CSRF): Angriffe auf Web-Session Management - Ursachen, Konsequenzen, Gegenmaßnahmen", talk at the IICO-Congress, May 9-11 2007, Berlin, Germany
• "CSRF, the Intranet and You" (with Justus Winter), talk at the 23C3, December 27-30 2006, Berlin, Germany (video)
• "On CSRF and why you should care", talk at the PacSec 2006 conference, November 27-30 2006, Tokio, Japan (slides english/japanese).
• "Using the same-origin policy to disarm XSS vulnerabilities", talk at ph-neutral 0x7d6, 27th May 2006, Berlin, Germany (slides)
• "Softwaresicherheit - Eine Forschungsperspektive" (with Joachim Posegga), talk at the Frühjahrstreffen der GI-Fachgruppe Datenbanken, 06.04.2006
• "Finding and Preventing Buffer Overflows - An overview of static and dynamic approaches", talk at the 22C3, 27.12.2005, Berlin, Germany (slides, video)

Technical Reports

• Marek Jawurek, Martin Johns, Florian Kerschbaum: Plug-in privacy for Smart Metering billing, Technical Report, The Computing Research Repository: Report 1012.2248, 2010 (pdf)
• Martin Johns: Towards Practical Prevention of Code Injection Vulnerabilities on the Programming Language Level, Technical Report, number 279-07, University of Hamburg, May 2007 (pdf).

Professional Activities

• Member of organizing committees: ESORICS 2006 (workshop chair), Dagstuhl Seminars on Web Application Security 2009 and 2012 (co-organizer), OWASP AppSec Germany 2012
• Member of program committees: OWASP Europe 2007, NordSec 2007, OWASP Europe 2008, DIMVA 2008, OWASP Research 2010, W2SP 2010, EC2ND 2010, STM 2010, ESSoS 2011, DIMVA 2011, STM 2011, EC2ND 2011, W2SP 2011, ESSoS 2012, WWW 2012, WISTP 2012, EuroSec 2012, DIMVA 2012, ISC 2012 , EuroSec 2013, DIMVA 2013
• Reviewer for program committees/journals: sOc-EUSAI 2005, CARDIS 2006, SEC 2006, ISAS 2006, SEC 2007, WISTP 2007, International Journal of Information Security, WISTP 2008, CARDIS 2008, SECRYPT 2008, TrustBus 2009, NTMS 2009, INC 2010, IOT 2010, Computers & Security.
• Member of the CEPS Task Force on Critical Infrastructure Protection in the EU (2010)
• Board Member of the German OWASP Chapter (since 2012)

Private

• Weblog
• Twitter
• Tumblelog