University of Passau
Department of Informatics and Mathematics
   University of Passau  >  FIM  >  IT-SEC  >  Members >  Former Members > Martin Johns      SiteMapSitemap  Seitenende
Martin Johns

Dipl.-Inform. Martin Johns

Contact Details

email martin johns
PGP: 2eb8 cf50 a0e2 5b6d 51ab d8ac 49be 5cef 9353 bba5


This page is no longer actively maintained 

Last update: 29/03/2011

Research Interest


  • Martin Johns, Bjoern Engelmann, Joachim Posegga: XSSDS: Server-side detection of cross-site scripting attacks, in Annual Computer Security Applications Conference (ACSAC '08), December 2008 (pdf).
  • Malko Steinorth, Martin Johns: Zeitverläufe bei automatisierten Penetrationstests, 15. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2008 (pdf).
  • Martin Johns: On JavaScript Malware and related threats - Web page based attacks revisited, in Journal in Computer Virology, Springer Paris, December 2007 (doi).
  • Martin Johns, Daniel Schreckling: Automatisierter Code-Audit - Sicherheitsanalyse von Source Code in Theorie und Praxis, in Datenschutz und Datensicherheit - DuD, Volume 31, Number 12, Vieweg Verlag, pp. 888-893, December 2007 (doi).
  • Martin Johns, Justus Winter: Protecting the Intranet Against "JavaScript Malware" and Related Attacks, in Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2007), B. M. Hämmerli and R. Sommer (ed.), Springer, LNCS 4579, pp. 40-59, July 2007 (pdf).
  • Martin Johns: Towards Practical Prevention of Code Injection Vulnerabilities on the Programming Language Level, Technical Report, number 279-07, University of Hamburg, May 2007 (pdf).
  • Martin Johns, Christian Beyerlein: SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation, 22nd ACM Symposium on Applied Computing (SAC 2007), Security Track, Seoul, Korea, March 2007 (pdf).
  • Daniel Schreckling, Martin Johns, SVS Sectoolers: CISAT: Integration von sicherheitszentrierter statischer Analyse in den Enwicklungsprozess, 14. DFN-CERT Workshop "Sicherheit in vernetzten Systemen", Hamburg, Germany, February 2007 (pdf)
  • Martin Johns: A First Approach to Counter "JavaScript Malware" In Proceedings of the 23rd Chaos Communication Congress, Verlag Art d'Ameublement, Bielefeld, ISBN 978-3-934-63605-7, pages 160 - 167, December 2006 (pdf)
  • Martin Johns: SessionSafe: Implementing XSS Immune Session Handling in in European Symposium on Research in Computer Security (ESORICS 2006), Gollmann, D.; Meier, J. & Sabelfeld, A. (ed.), Springer, LNCS 4189, pp. 444-460, September 2006 (pdf, slides, bibtex).
  • Martin Johns, Justus Winter: RequestRodeo: Client Side Protection against Session Riding in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.), Report CW448, Departement Computerwetenschappen, Katholieke Universiteit Leuven, Belgium, May 2006 (pdf, slides, bibtex).
  • "Cross-site requests and other offenders... " (slides) and "Secure Code Generation for Web Applications" (slides), both held at the Dagstuhl Seminar on Web Application Security, March/April 2009, Dagstuhl, Germany
  • "Secure Code Generation for Web Applications", talk given at Microsoft Research, December 15th 2008, Redmond, USA (slides)
  • "XSSDS und noXSS - Server- und Browser-basierte XSS Erkennung" (with Jeremias Reith), OWASP Germany Conference, November 25th 2008, Frankfurt, Germany (slides)
  • "Scanstud - Evaluating static analysis tools" (with Moritz Jodeit, Wolfgang Koeppl, and Martin Wimmer), OWASP AppSec 2008, May 22nd, 2008, Ghent, Belgium (slides)
  • "The three faces of CSRF", talk at the DeepSec2007 conference, November 23th 2007, Vienna, Austria (slides)
  • "Exploiting the Intranet with a Webpage", talk at the HITBSecConf2007 conference, September 3-6 2007, Kuala Lumpur, Malaysia (to appear).
  • "Towards vulnerability prevention in web applications via data/code separation", talk at the Fraunhofer First Kolloqium, June 20th 2007, Berlin, Germany
  • "Cross Site Scripting (XSS) und Session Riding (CSRF): Angriffe auf Web-Session Management - Ursachen, Konsequenzen, Gegenmaßnahmen", talk at the IICO-Congress, May 9-11 2007, Berlin, Germany (to appear).
  • "CSRF, the Intranet and You" (with Justus Winter), talk at the 23C3, December 27-30 2006, Berlin, Germany (to appear).
  • "On CSRF and why you should care", talk at the PacSec 2006 conference, November 27-30 2006, Tokio, Japan (slides english/japanese).
  • "Using the same-origin policy to disarm XSS vulnerabilities", talk at ph-neutral 0x7d6, 27th May 2006, Berlin, Germany (slides)
  • "Softwaresicherheit - Eine Forschungsperspektive" (with Joachim Posegga), talk at the Frühjahrstreffen der GI-Fachgruppe Datenbanken, 06.04.2006
  • "Finding and Preventing Buffer Overflows - An overview of static and dynamic approaches", talk at the 22C3, 27.12.2005, Berlin, Germany (slides, video)

Professional Activities

Supervised Theses

  • Offered (contact me if you are interested):
    • Various topics in the field of web application security. Drop me a line to make an appointment.
  • Ongoing:
    • [none]
  • Finished:
    • Diploma thesis: Reliable Reflective Cross-site Scripting Prevention on the Client-side (by J. Reith)
    • Diploma thesis: Evaluating Security Aspects of the Universal Serial Bus (by M. Jodeit)
    • Diploma thesis: Web Application Authentication revisited (by M. Hildebrand)
    • Diploma thesis: Implementierung einer Abstraktionsschicht zur Vermeidung von Code-Injection-Angriffen unter besonderer Berücksichtigung von Performance-Aspekten (by C. Beyerlein)
    • Diploma thesis: Implementierung eines Präprozessors für Java als eine Gegenmaßnahme gegen Injektionsangriffe, um Daten-Code-Trennung in Webanwendungen zu erzielen (by M. Czerwik)
    • Diploma thesis: Automatisierbarkeit von Penetrationstests (by M. Steinorth)
    • Diploma thesis: Dynamic Evaluation of Input Filter Functions (by B. Ahne)
    • Diploma thesis: Dynamic Web Application Analysis for Cross Site Scripting Detection (by B. Engelmann)
    • Diploma thesis: Using Compiler Intermediate Representations for security-related Static Analysis (by T. Mende)
    • Diploma thesis: XSS Secure Session Handling (by C. Weitendorf)
    • Bachelor thesis: Possible Threats to PGP Key Servers (by T. Holst)
    • Bachelor thesis: Automatische Verfolgung und Archivierung von Sicherheitsupdates eines freien Unix-Derivates (by S. Schirmer)
    • Bachelor thesis: Zertifizierung öffentlicher Schlüssel als Dienstleistung (by G. Goldbach)


  • Summer term 2006
    • Project: Software Security (18.342)
    • Seminar IT-Sicherheit (18.405)
    • Open study group: Practical Insecurities
  • Winter term 2005/06
    • Open study group: Practical Insecurities
    • Projekt: Software-Sicherheit (18.342)
  • Summer term 2005
    • Open study group: C Insecurities
  Impressum Last modified: 24/02/2015 - 18:13:06 by mj  Seitenanfang