Martin Johns

Learn More
The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to(More)
In recent years, the Web witnessed a move towards sophis- ticated client-side functionality. This shift caused a signifi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnera- bilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues. In this(More)
Cross-site scripting (XSS) has emerged to one of the most prevalent type of security vulnerabilities. While the reason for the vulnerability primarily lies on the server-side, the actual exploitation is within the victim's Web browser on the client-side. Therefore, an operator of a Web application has only very limited evidence of XSS issues. In this paper,(More)
With the growing trend towards the use of web applications the danger posed by cross site scripting vulnerabilities gains severity. The most serious threats resulting from cross site scripting vulnerabilities are session hijacking attacks: Exploits that steal or fraudulently use the victim’s identity. In this paper we classify currently known attack methods(More)
The term 'Session Fixation vulnerability' subsumes issues in Web applications that under certain circumstances enable the adversary to perform a Session Hijacking attack through controlling the victim's session identifier value. A successful attack allows the attacker to fully impersonate the victim towards the vulnerable Web application. We analyse the(More)
The current generation of client-side Cross-Site Scripting filters rely on string comparison to detect request values that are reflected in the corresponding response’s HTML. This coarse approximation of occurring data flows is incapable of reliably stopping attacks which leverage nontrivial injection contexts. To demonstrate this, we conduct a thorough(More)
The term JavaScript Malware describes attacks that abuse the web browser’s capabilities to execute malicious script-code within the victim’s local execution context. Unlike related attacks, JavaScript Malware does not rely on security vulnerabilities in the web browser’s code but instead solely utilizes legal means in respect to the applying specification(More)
In the constant evolution of the Web, the simple always gives way to the more complex. Static webpages with click-through dialogues are becoming more and more obsolete and in their place, asynchronous JavaScript requests, Web mash-ups and proprietary plug-ins with the ability to conduct cross-domain requests shape the modern user experience. Three recent(More)