Security Research

I am currently working as a penetration tester/security consultant at n.runs AG. Before that, I was a member of the Fraunhofer SIT security test lab. Earlier, I have been involved in security research both professionally at Cynops GmbH and independently and have discovered vulnerabilities in Firefox, Opera, Outlook and Office 2007, Adobe Reader as well as in some servers and services, oftentimes related to certificate handling. Below is a list of advisories I have published, you can find more research in the form of slides, papers and presentation recordings in the download section.


2011/12/28: The #hashDoS vulnerability

Together with Julian “zeri” Wälde, I presented at 28C3 on research we had been doing for some months. We revisited a Usenix Security paper from 2003 called “Denial of Service via Algorithmic Complexity Attacks” and found out that nearly all major web application platforms (PHP, Java, CRuby 1.8, Python, ASP.NET, v8, etc.) were vulnerable to a very effective Denial of Service attack by finding hash collisions for their string hash functions, which turned out to be easy. oCERT advisory #2011-003 and our own have the gory details. The video from the talk may also be instructive. Some patches were done on time and some missed the disclosure deadline by a few days or weeks. We also ruined Microsoft's perfect record for 2011 by forcing them to release MS-11-100, the first (and last) out-of-band security update for 2011. Erik Tews wrote a nice blog post and of course there was some press coverage as well: ars technica, Spiegel Online (in german).


2010/09/04: Adobe Flash Player — privacy problems with the settings manager

In March 2010, the security test lab team I work in jointly discovered a flaw in the settings manager of Adobe's Flash Player which can lead to a privacy compromise (unnoticed activation of camera and microphone) in a MiTM situation if the user accepts a fake certificate for For details, see the advisory or the slides from the talk I gave at mrmcd1001b. This vulnerability also generated some press coverage (The H, Heise Germany,, Spiegel Online).


2009/12/21: SQL-Ledger — various issues

I discovered several issues (XSS, SQL injection, LFI, …) in the open source ERP system SQL-Ledger. See the advisory for more details.


2008/09/29: CAcert — non-persistent cross-site scripting

In September 2008, I discovered a non-persistent cross-site scripting vulnerability in This wouldn't normally make me write a security advisory, but as this was on the site of a certificate authority, I made an exception. See the advisory for more details.

2008/05/28: Opera — heap-based buffer overflow (CVE-2007-6521)

In October 2007, I discovered a heap-based buffer overflow in the certificate parsing of the Opera browser. The corresponding advisory was released in May 2008 right in time for my talk at EUSecWest.

2008/04/02: Apache-SSL — minor memory disclosure (CVE-2008-055)

In January 2008, I accidentally discovered that the parsing of client certificate DNs in Apache-SSL was faulty, leading to the possibility of overwriting parts of the DN and a minor memory disclosure. Details in the advisory.

2008/04/01: X.509 over HTTP

In January 2008, I discovered that the certificate parsing in Microsoft's CryptoAPI could be used to trigger unwanted HTTP requests. This vulnerability affects Outlook, Windows Live Mail and Office 2007. A proof of concept is available by sending an empty mail to or downloading the prepared Word 2007 document. Details are available in a whitepaper. This vulnerability also generated some press (Heise UK, Heise Germany) and was a large part of my EuSecWest 2008 talk on Abusing X.509 certificate features.

2008/02/13: OpenCA — Cross Site Request Forgery (CVE-2008-0556)

In December 2007, I discovered a XSRF issue in OpenCA that could lead to the unauthorized issuance of certificates. Details in the advisory and on Heise UK and Heise Germany.


2007/09/07: Firefox 2.0.x, 1.5 — automatic installation of TLS client certificates (CVE-2007-4879)

In September 2007, I discovered that with the help of SPKAC, Firefox could be used to install a TLS client certificate (more or less) silently. This certificate could then be used to track a user across different websites. This issue was fixed in Firefox It is also present in (Mac OS X) Safari, which is why the proof of concept might still be useful. The vulnerability got covered on Heise UK and Heise Germany.

2007/08/27: Stampit Web — Denial of Service (CVE-2007-3871)

In July 2007, I accidentally discovered a design bug in Deutsche Post's internet stamping application Stampit Web, which could have lead to an easily executed DoS on their 120.000 customers. The advisory as well as the press articles (Heise UK, Heise Germany, Spiegel Online) provide more details.

2007/04/10: DropAFew — SQL injection, authorization issue (CVE-2007-1363 and -1364)

In March 2007, I discovered serveral issues (most severely a SQL injection) in DropAFew. Details in the advisory.

2007/03/20: dproxy — remotely exploitable buffer overflow (CVE-2007-1465)

I also discovered a stack buffer overflow in dproxy in March 2007. Details are available in the advisory. I also wrote a Metasploit module (, but I can no longer offer it here due to crazy german laws.


2006/05/02: JSBoard — Cross Site Scripting (CVE-2006-2109)

In April 2006, I discovered a XSS issue in JSBoard. Details in the advisory.


2005/09/01: Adobe Reader — user tracking

In 2005, I discovered that JavaScript and PDF forms could be used to tracker the readers of a document by silently sending out HTTP requests. I set up a proof of concept website and the issue was fixed by Adobe in 7.0.5.