publications | Christian Mainka

IT security conferences, the most important publication medium in my area, use the CORE ranking. Top-tier conferences are ranked A* (filter). You can find my citation profiles below.

Total: 47. Peer Reviewed: 32. Rank A*: 12. Rank A: 7. Awarded: 3.

2025

May

S&P
"Only as Strong as the Weakest Link": On the Security of Brokered Single Sign-On on the Web

Tommaso Innocenti, Louis Jannett, Christian Mainka, Vladislav Mladenov, and Engin Kirda

In IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, USA, May 2025

Abs DOI Bib Code Website

Single Sign-On (SSO) is an authentication process that allows users to access multiple services with a single set of login credentials. Although SSO improves the user experience, it poses challenges to developers to implement complex authentication protocols securely. External services, called brokers, simplify the integration of SSO. In this paper, we shed light on the emerging brokered SSO ecosystem, focusing on the security of the newly introduced actor, the broker. We systematically evaluate the landscape of brokered SSO, uncovering significant blind spots in previous research. Our study reveals that 25% of the websites with SSO integrate brokers for authentication, an area that has not been covered by any previous research. Through our comprehensive security evaluation, we identify three categories of threats associated with brokered SSO: (1) insufficient validation of redirect chains enabling injection attacks, (2) unauthorized data access enabling account takeovers, and (3) violations of security best current practices. We expose vulnerabilities in over 50 brokers, compromising the security of more than 2k websites. These findings represent only a lower bound of a critical situation, underscoring the urgent need for improved security measures and protocols to safeguard the integrity of brokered SSO systems.
@inproceedings{SP:IJMMK25, title = {"{{Only}} as {{Strong}} as the {{Weakest Link}}": {{On}} the {{Security}} of {{Brokered Single Sign-On}} on the {{Web}}}, booktitle = {{{IEEE Symposium}} on {{Security}} and {{Privacy}} ({{S}}\&{{P}})}, author = {Innocenti, Tommaso and Jannett, Louis and Mainka, Christian and Mladenov, Vladislav and Kirda, Engin}, date = {2025-05-12}, pages = {24--24}, publisher = {IEEE Computer Society}, location = {San Francisco, CA, USA}, doi = {10.1109/SP61157.2025.00024}, url = {https://www.computer.org/csdl/proceedings-article/sp/2025/223600a024/21B7Qfd8kiA}, urldate = {2025-02-25}, eventtitle = {{{SP}}}, langid = {english}, month = may, }

2023

November

CCS
Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web Browsers

Dominik Noß, Lukas Knittel, Christian Mainka, Marcus Niemietz, and Jörg Schwenk

In ACM SIGSAC Conference on Computer and Communications Security, Copenhagen, Denmark, accepted papers: 234/1222 = 19%, Nov 2023

Abs Bib PDF Code Website

Cross-Site Leaks (XS-Leaks) are a class of vulnerabilities that allow a web attacker to infer user state from a target web application cross-origin. Fixing XS-Leaks is a cat-and-mouse game: once a published vulnerability is fixed, a variant is discovered. To end this game, we propose a methodology to find all leak techniques for a given state-dependent resource and a set of inclusion method. We translate a website’s DOM at runtime into a directed graph. We execute this translation twice, once for each state. The outputs are two slightly different graphs. We then get the set of all leak techniques by computing these two graphs’ differences. The remaining nodes and edges differ between the two states, and the corresponding DOM properties and objects can be observed cross-origin. We implemented AutoLeak, our open-source solution for automatically detecting known and yet unknown XS-Leaks in web browsers and websites. For our systematic study, we focus on XS-Leak test cases for web browsers with detectable differences induced by HTTP headers. We created and evaluated a total of 151776 test cases in Chrome, Firefox, and Safari. AutoLeak executed them automatically without human interaction and identified up to 8403 leak techniques per test case. On top, AutoLeak’s systematic evaluation uncovers 5 novel classes of XS-Leaks based on leak techniques that allow detecting novel HTTP headers cross-origin. We show the applicability of our methodology on 24 web sites in the Tranco Top 50 and uncovered XS-Leaks in 20 of them.
@inproceedings{CCS:NKMNS23, title = {Finding {{All Cross-Site Needles}} in the {{DOM Stack}}: {{A Comprehensive Methodology}} for the {{Automatic XS-Leak Detection}} in {{Web Browsers}}}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Noß, Dominik and Knittel, Lukas and Mainka, Christian and Niemietz, Marcus and Schwenk, Jörg}, date = {2023-11}, publisher = {ACM Press}, location = {Copenhagen, Denmark}, url = {https://www.sigsac.org/ccs/CCS2023/}, eventtitle = {{{CCS}}}, langid = {english}, month = nov, }

August

USENIX
Every Signature Is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures

Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk

In USENIX Security Symposium, Anaheim, CA, USA, accepted papers: 419/1444 = 29%, Aug 2023

Abs Bib PDF Video Code Slides Website

Microsoft Office is one of the most widely used applications for office documents. For documents of prime importance, such as contracts and invoices, the content can be signed to guarantee authenticity and integrity. Since 2019, security researchers have uncovered attacks against the integrity protection in other office standards like PDF and ODF. Since Microsoft Office documents rely on different specifications and processing rules, the existing attacks are not applicable.
@inproceedings{USENIX:RMMHS23, title = {Every {{Signature}} Is {{Broken}}: {{On}} the {{Insecurity}} of {{Microsoft Office}}’s {{OOXML Signatures}}}, booktitle = {{{USENIX Security Symposium}}}, author = {Rohlmann, Simon and Mladenov, Vladislav and Mainka, Christian and Hirschberger, Daniel and Schwenk, Jörg}, date = {2023-08-09}, pages = {18}, publisher = {USENIX Association}, location = {Anaheim, CA, USA}, url = {https://www.usenix.org/conference/usenixsecurity23/presentation/rohlmann}, eventtitle = {{{USENIX}}}, langid = {english}, month = aug, }

2022

November

CCS
DISTINCT: Identity Theft Using In-Browser Communications in Dual-Window Single Sign-On

Louis Jannett, Vladislav Mladenov, Christian Mainka, and Jörg Schwenk

In ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, accepted papers: 218/971 = 22%, Nov 2022

Abs DOI Bib PDF Code Website

Single Sign-On (SSO) protocols like OAuth 2.0 and OpenID Connect 1.0 are cornerstones of modern web security, and have received much academic attention. Users sign in at a trusted Identity Provider (IdP) that subsequently allows many Service Providers (SPs) to verify the users’ identities. Previous research concentrated on the standardized — called textbook SSO in this paper — authentication flows, which rely on HTTP redirects to transfer identity tokens between the SP and IdP. However, modern web applications like single page apps may not be able to execute the textbook flow because they lose the local state in case of HTTP redirects. By using novel browser technologies, such as postMessage, developers designed and implemented SSO protocols that were neither documented nor analyzed thoroughly. We call them dual-window SSO flows.
@inproceedings{CCS:JMMS22, title = {{{DISTINCT}}: {{Identity Theft}} Using {{In-Browser Communications}} in {{Dual-Window Single Sign-On}}}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Jannett, Louis and Mladenov, Vladislav and Mainka, Christian and Schwenk, Jörg}, date = {2022-11-15}, pages = {15}, publisher = {ACM Press}, location = {Los Angeles, CA, USA}, doi = {10.1145/3548606.3560692}, url = {https://distinct-sso.com/}, eventtitle = {{{CCS}}}, langid = {english}, month = nov, }

August

USENIX
Oops... Code Execution and Content Spoofing: The First Comprehensive Analysis of OpenDocument Signatures

Simon Rohlmann, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk

In USENIX Security Symposium, Boston, MA, USA, accepted papers: 256/1492 = 17%, Aug 2022

Awarded Abs Bib PDF Code Slides Website

Awarded with the 2nd place on the Cyber Security Awareness Week (CSAW), Applied Research Competition.

OpenDocument is one of the major standards for interoperable office documents. Supported by office suites like Apache OpenOffice, LibreOffice, and Microsoft Office, the OpenDocument Format (ODF) is available for text processing, spreadsheets, and presentations on all major desktop and mobile operating systems. When it comes to governmental and business use cases, OpenDocument signatures can protect the integrity of a document’s content, for example, for contracts, amendments, or bills. Moreover OpenDocument signatures also protect document’s macros. Since the risks of using macros in documents is well-known, modern office applications only enable their execution if a trusted entity signs the macro code. Thus, the security of ODF documents often depends on the correct signature verification. In this paper, we conduct the first comprehensive analysis of OpenDocument signatures and reveal numerous severe threats. We identified five new attacks and evaluated them against 16 office applications on Windows, macOS, Linux, iOS, Android, and two online services. Our investigation revealed 12 out of 18 applications to be vulnerable for macro code execution, although the application only executes macros signed by trusted entities. For 17 of 18 applications, we could spoof the content in a signed ODF document while keeping the signature valid and trusted. Finally, we showed that attackers possessing a signed ODF could alter and forge the signature creation time in 16 of 18 applications. Our research was acknowledged by Microsoft, Apache OpenOffice, and LibreOffice during the coordinated disclosure.
@inproceedings{USENIX:RMMS22, title = {Oops... {{Code Execution}} and {{Content Spoofing}}: {{The First Comprehensive Analysis}} of {{OpenDocument Signatures}}}, booktitle = {{{USENIX Security Symposium}}}, author = {Rohlmann, Simon and Mainka, Christian and Mladenov, Vladislav and Schwenk, Jörg}, date = {2022-08-10}, pages = {18}, publisher = {USENIX Association}, location = {Boston, MA, USA}, url = {https://www.usenix.org/conference/usenixsecurity22/presentation/rohlmann}, urldate = {2022-05-12}, addendum = {2nd place in the Applied Research Competition (CSAW)}, eventtitle = {{{USENIX}}}, langid = {english}, month = aug, }

2021

November

CCS
XSinator.Com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers

Lukas Knittel, Christian Mainka, Marcus Niemietz, Dominik Noß, and Jörg Schwenk

In ACM SIGSAC Conference on Computer and Communications Security, Seoul, South Korea (Virtual Conference), accepted papers: 196/879 = 22%, Nov 2021

Awarded Abs DOI Bib PDF Code Website

Awarded with the ACM CCS Best Paper Award.

Cross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource. They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation. Numerous different attack vectors, as well as mitigation strategies, have been proposed, but a clear and systematic understanding of XS-Leak’ root causes is still missing. Recently, Sudhodanan et al. gave a first overview of XS-Leak at NDSS 2020. We build on their work by presenting the first formal model for XS-Leaks. Our comprehensive analysis of known XSLeaks reveals that all of them fit into this new model. With the help of this formal approach, we (1) systematically searched for new XS-Leak attack classes, (2) implemented XSinator.com, a tool to automatically evaluate if a given web browser is vulnerable to XSLeaks, and (3) systematically evaluated mitigations for XS-Leaks. We found 14 new attack classes, evaluated the resilience of 56 different browser/OS combinations against a total of 34 XS-Leaks, and propose a completely novel methodology to mitigate XS-Leaks.
@inproceedings{CCS:KMNNS21, title = {{{XSinator}}.Com: {{From}} a {{Formal Model}} to the {{Automatic Evaluation}} of {{Cross-Site Leaks}} in {{Web Browsers}}}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Knittel, Lukas and Mainka, Christian and Niemietz, Marcus and Noß, Dominik and Schwenk, Jörg}, date = {2021-11-15}, publisher = {ACM Press}, location = {Seoul, South Korea (Virtual Conference)}, doi = {10.1145/3460120.3484739}, url = {https://dl.acm.org/doi/10.1145/3460120.3484739}, urldate = {2020-12-08}, addendum = {ACM CCS Best Paper Award,}, eventtitle = {{{CCS}}}, langid = {english}, month = nov, }

May

S&P
Breaking the Specification: PDF Certification

Simon Rohlmann, Vladislav Mladenov, Christian Mainka, and Jörg Schwenk

In IEEE Symposium on Security and Privacy (S&P), Virtual Conference, accepted papers: 115/952 = 12%, May 2021

Abs DOI Bib PDF Code Website

The Portable Document Format (PDF) is the defacto standard for document exchange. The PDF specification defines two different types of digital signatures to guarantee the authenticity and integrity of documents: approval signatures and certification signatures. Approval signatures testify one specific state of the PDF document. Their security has been investigated at CCS’19. Certification signatures are more powerful and flexible. They cover more complex workflows, such as signing contracts by multiple parties. To achieve this goal, users can make specific changes to a signed document without invalidating the signature. This paper presents the first comprehensive security evaluation on certification signatures in PDFs. We describe two novel attack classes – Evil Annotation and Sneaky Signature attacks which abuse flaws in the current PDF specification. Both attack classes allow an attacker to significantly alter a certified document’s visible content without raising any warnings. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using Evil Annotation attacks and in 8 applications using Sneaky Signature by using PDF specification compliant exploits. We improved both attacks’ stealthiness with applications’ implementation issues and found only two applications secure to all attacks. On top, we show how to gain high privileged JavaScript execution in Adobe. We responsibly disclosed these issues and supported the vendors to fix the vulnerabilities. We also propose concrete countermeasures and improvements to the current specification to fix the issues.
@inproceedings{SP:RMMS21, title = {Breaking the {{Specification}}: {{PDF Certification}}}, booktitle = {{{IEEE Symposium}} on {{Security}} and {{Privacy}} ({{S}}\&{{P}})}, author = {Rohlmann, Simon and Mladenov, Vladislav and Mainka, Christian and Schwenk, Jörg}, date = {2021-05}, pages = {1485--1501}, publisher = {IEEE Computer Society}, location = {Virtual Conference}, issn = {2375-1207}, doi = {10.1109/SP40001.2021.00110}, url = {https://doi.ieeecomputersociety.org/10.1109/SP40001.2021.00110}, eventtitle = {{{SP}}}, month = may, }

February

NDSS
Shadow Attacks: Hiding and Replacing Content in Signed PDFs

Christian Mainka, Vladislav Mladenov, and Simon Rohlmann

In Network and Distributed System Security Symposium, Virtual Conference, accepted papers: 87/573 = 15%, Feb 2021

Abs DOI Bib PDF Video Code Website

The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Second, we abuse a flaw in the PDF encryption specification to arbitrarily manipulate encrypted content. The only requirement is that a single block of known plaintext is needed, and we show that this is fulfilled by design. Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels which are based on standard compliant PDF properties. We evaluated our attacks on 27 widely used PDF viewers and found all of them to be vulnerable. We responsibly disclosed the vulnerabilities and supported the vendors in fixing the issues.
@inproceedings{NDSS:MaiMlaRoh21, title = {Shadow {{Attacks}}: {{Hiding}} and {{Replacing Content}} in {{Signed PDFs}}}, booktitle = {Network and {{Distributed System Security Symposium}}}, author = {Mainka, Christian and Mladenov, Vladislav and Rohlmann, Simon}, date = {2021-02-21}, publisher = {Internet Society}, location = {Virtual Conference}, doi = {10.14722/ndss.2021.24117}, url = {https://www.ndss-symposium.org/ndss-paper/shadow-attacks-hiding-and-replacing-content-in-signed-pdfs/}, eventtitle = {{{NDSS}}}, month = feb, }
NDSS
Processing Dangerous Paths - On Security and Privacy of the Portable Document Format

Jens Müller, Dominik Noß, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk

In Network and Distributed System Security Symposium, Virtual Conference, accepted papers: 87/573 = 15%, Feb 2021

Abs DOI Bib PDF Video Code Website

PDF is the de-facto standard for document exchange. It is common to open PDF files from potentially untrusted sources such as email attachments or downloaded from the Internet. In this work, we perform an in-depth analysis of the capabilities of malicious PDF documents. Instead of focusing on implementation bugs, we abuse legitimate features of the PDF standard itself by systematically identifying dangerous paths in the PDF file structure. These dangerous paths lead to attacks that we categorize into four generic classes: (1) Denial-ofService attacks affecting the host that processes the document. (2) Information disclosure attacks leaking personal data out of the victim’s computer. (3) Data manipulation on the victim’s system. (4) Code execution on the victim’s machine. An evaluation of 28 popular PDF processing applications shows that 26 of them are vulnerable at least one attack. Finally, we propose a methodology to protect against attacks based on PDF features systematically.
@inproceedings{NDSS:MNMMS21, title = {Processing {{Dangerous Paths}} - {{On Security}} and {{Privacy}} of the {{Portable Document Format}}}, booktitle = {Network and {{Distributed System Security Symposium}}}, author = {Müller, Jens and Noß, Dominik and Mainka, Christian and Mladenov, Vladislav and Schwenk, Jörg}, date = {2021-02-21}, publisher = {Internet Society}, location = {Virtual Conference}, doi = {10.14722/ndss.2021.23109}, url = {https://www.ndss-symposium.org/ndss-paper/processing-dangerous-paths-on-security-and-privacy-of-the-portable-document-format/}, eventtitle = {{{NDSS}}}, month = feb, }

2019

November

CCS
Practical Decryption exFiltration: Breaking PDF Encryption

Jens Müller, Fabian Ising, Vladislav Mladenov, Christian Mainka, Sebastian Schinzel, and Jörg Schwenk

In ACM SIGSAC Conference on Computer and Communications Security, London, United Kingdom, accepted papers: 149/933 = 16%, Nov 2019

Abs DOI Bib PDF Website

The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Second, we abuse a flaw in the PDF encryption specification to arbitrarily manipulate encrypted content. The only requirement is that a single block of known plaintext is needed, and we show that this is fulfilled by design. Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels which are based on standard compliant PDF properties. We evaluated our attacks on 27 widely used PDF viewers and found all of them to be vulnerable. We responsibly disclosed the vulnerabilities and supported the vendors in fixing the issues.
@inproceedings{CCS:MIMMSS19, title = {Practical {{Decryption exFiltration}}: {{Breaking PDF Encryption}}}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Müller, Jens and Ising, Fabian and Mladenov, Vladislav and Mainka, Christian and Schinzel, Sebastian and Schwenk, Jörg}, date = {2019-11-06}, pages = {15--29}, publisher = {ACM Press}, location = {London, United Kingdom}, doi = {10.1145/3319535.3354214}, url = {https://dl.acm.org/doi/10.1145/3319535.3354214}, urldate = {2020-12-08}, eventtitle = {{{CCS}}}, langid = {english}, month = nov, }
CCS
1 Trillion Dollar Refund: How To Spoof PDF Signatures

Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe, and Jörg Schwenk

In ACM SIGSAC Conference on Computer and Communications Security, London, United Kingdom, accepted papers: 149/933 = 16%, Nov 2019

Awarded Abs DOI Bib PDF Website

Awarded with the Best Paper Award on the Cyber Security Awareness Week (CSAW), Applied Research Competition.

The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee the authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures. In this paper, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce three novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF. We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated eight online validation services and found six to be vulnerable. A possible explanation for these results could be the absence of a standard algorithm to verify PDF signatures – each client verifies signatures differently, and attacks can be tailored to these differences. We, therefore, propose the standardization of a secure verification algorithm, which we describe in this paper.
@inproceedings{CCS:MMSGS19, title = {1 {{Trillion Dollar Refund}}: {{How To Spoof PDF Signatures}}}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Mladenov, Vladislav and Mainka, Christian and {Karsten Meyer zu Selhausen} and Grothe, Martin and Schwenk, Jörg}, date = {2019-11-06}, pages = {1--14}, publisher = {ACM Press}, location = {London, United Kingdom}, doi = {10.1145/3319535.3339812}, url = {https://dl.acm.org/doi/10.1145/3319535.3339812}, urldate = {2020-12-08}, addendum = {CSAW Best Paper Award}, eventtitle = {{{CCS}}}, langid = {english}, month = nov, }

2017

August

USENIX
Same-Origin Policy: Evaluation in Modern Browsers

Jörg Schwenk, Marcus Niemietz, and Christian Mainka

In USENIX Security Symposium, Vancouver, BC, Canada, accepted papers: 85/572 = 15%, Aug 2017

Abs DOI Bib PDF Video Code Slides Website

The term Same-Origin Policy (SOP) is used to denote a complex set of rules which governs the interaction of different Web Origins within a web application. A subset of these SOP rules controls the interaction between the host document and an embedded document, and this subset is the target of our research (SOP-DOM). In contrast to other important concepts like Web Origins (RFC 6454) or the Document Object Model (DOM), there is no formal specification of the SOP-DOM. In an empirical study, we ran 544 different test cases on each of the 10 major web browsers. We show that in addition to Web Origins, access rights granted by SOPDOM depend on at least three attributes: the type of the embedding element (EE), the sandbox, and CORS attributes. We also show that due to the lack of a formal specification, different browser behaviors could be detected in approximately 23% of our test cases. The issues discovered in Internet Explorer and Edge are also acknowledged by Microsoft (MSRC Case 32703). We discuss our findings in terms of read, write, and execute rights in different access control models.
@inproceedings{USENIX:SchNieMai17, title = {Same-Origin Policy: {{Evaluation}} in Modern Browsers}, booktitle = {{{USENIX Security Symposium}}}, author = {Schwenk, Jörg and Niemietz, Marcus and Mainka, Christian}, date = {2017-08-16}, pages = {713--727}, publisher = {USENIX Association}, location = {Vancouver, BC, Canada}, doi = {10.5555/3241189.3241245}, url = {https://dl.acm.org/doi/10.5555/3241189.3241245}, eventtitle = {{{USENIX}}}, month = aug, }