Portfolio
Presentations
- Dealing With Cross-Site Attacks at German OWASP Day in Leipzig - 2024, Blog post, Video
- Cross Origin Isolation at OWASP Berlin Meeting and PraSec - 2024, Slides
- What if XSS was a browser bug? at Hacking in Parallel Berlin - 2022, Slides
- Finding and Fixing DOM-based XSS at enterJS Darmstadt - 2022, Slides
- Making of: The Sanitizer API at Nullcon Berlin - 2022: Video, Slides
- Fixing Security Bugs in Firefox at Mozilla Berlin All-Hands - 2020
- Remote code execution in Firefox beyond memory corruptions at OWASP Global AppSec Amsterdam - 2019: Blog post, Slides
- A CDN that can not XSS you: Using Subresource Integrity at OWASP AppSec EU, Amsterdam - 2015: Video, Blog post
- We're stuggling to keep up - A brief history of browser security features at JSConf.EU Berlin - 2014: Video
- Origin Policy Enforcement in Modern Browsers at OWASP AppSec Research in Hamburg and at Hack in Paris - 2013: Paper
Projects
- Sanitizer API, an upcoming standard that defines built-in HTML/XSS sanitizer primitives for the browser.
- eslint plugin "no unsanitized", a plugin for the popular JavaScript linter that helps finding and fixing unsanitized HTML interpolation, which could lead to XSS vulnerabilities.
- Subresource Integrity, a W3C specification for conditionally loading third-party scripts based on their cryptographic digest.
- Public Suffix List, the list that defines domain suffixes beyond typical IANA top-level domains. (as contributor)
- eslint plugin "no wildcard postMessage",
a plugin for the popular JavaScript linter that disallows usage of the
postMessageAPI to unspecified end points. - discard tab, a Firefox extension that allows unloading a browser tab to disable background activity and reduce resource usage.
- html2dom, a JavaScript library that
rewrites HTML source code into DOM instructions (
createElement,appendChildetc.)
Blog posts elsewhere
- Firefox will upgrade more Mixed Content in Version 127, with Malte Jürgens, Simon Friedberger, and Christoph Kerschbaumer (June 5, 2024)
- DOM Clobbering (December 12, 2022)
- Finding and Fixing DOM-based XSS with Static Analysis (November 3, 2021)
- Examining JavaScript Inter-Process Communication in Firefox (April 27, 2021)
- Understanding Web Security Checks in Firefox (Part 2) (August 5, 2020)
- Hardening Firefox against Injection Attacks – The Technical Details (July 7, 2020)
- Understanding Web Security Checks in Firefox (Part 1) (June 10, 2020)
- Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs(December 2, 2019)
- Remote Code Execution in Firefox beyond memory corruptions (September 29, 2019)
Papers
- Hardening Firefox against Injection Attacks (PDF), with Christoph Kerschbaumer, Tom Ritter; SecWeb - Designing Security for the Web; Genova, Italy, September 2020
- X-Frame-Options: All about Clickjacking? Whitepaper together with Mario Heiderich, Fall 2013
- Origin Policy Enforcement in Modern Browsers, Diploma thesis, Summer/Fall 2012. Errata (TXT), Test Cases/Appendix available on request.
Community Service
I have also served on the Program Committee of various conferences.
- Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) 2025.
- German OWASP Day (GOD), Leipzig 2024
- The Network and Distributed System Security (NDSS) Symposium 2023.
- SecWeb Worksop 2023 (jointly held with IEEE S&P in San Francisco on May 25, 2023).
- SecWeb Workshop 2021 (jointly held with European S&P).
- Invited participant to Dagstuhl Seminar 18321 on Web Application Security.