Christian Mainka

I am an IT security professor at University of Wuppertal where I lead the group ROSES (Robust, Secure and Privacy-Preserving Smart Systems). Also, I am one of the founders of Hackmanit, a Freelancer, organizer of RuhrSec, hiker, cyclist, and handball player.

With almost two decades of experience in web and data security research, my work was presented at top-tier academic and industry conferences. I have published 32 peer-reviewed papers, including 12 at top-tier conferences in my field and 3 awarded papers.

I have filed numerous CVEs in widely used applications and libraries. I am the originator of the penetration test tools WS-Attacker and the Single Sign-On Burpsuite Extension EsPReSSO, which have proven valuable in the industry. My PhD research focused on XML-based web services and Single Sign-On protocols, such as OAuth and OpenID Connect and SAML. Since then, I have expanded my research to explore the robustness of digital systems, with a particular focus on document security. My current work involves investigating cryptographic failures related to document signatures and encryption using fault injection. I am also engaged in researching browser security, with a specific focus on security and privacy issues resulting from SOP bypasses, including XS-Leaks. In 2018, I got a permanent research position at the Chair for Network and Datasecurity lead by Prof. Jörg Schwenk. In May 2025, I joined the University of Wuppertal and continue to explore innovative solutions to the challenges of cybersecurity.

open position

I am looking for a PhD Candidate (100% TVL-E13) working with me on Topics around Web and Data Security. Contact me via mail if you would like to work in our Team on practical IT security topics.

news

May 05, 2025	I joined the University of Wuppertal.

selected publications

CCS
XSinator.Com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers

Lukas Knittel, Christian Mainka, Marcus Niemietz, Dominik Noß, and Jörg Schwenk

In ACM SIGSAC Conference on Computer and Communications Security, Seoul, South Korea (Virtual Conference), accepted papers: 196/879 = 22%, Nov 2021

Awarded Abs DOI Bib PDF Code Website

Awarded with the ACM CCS Best Paper Award.

Cross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource. They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation. Numerous different attack vectors, as well as mitigation strategies, have been proposed, but a clear and systematic understanding of XS-Leak’ root causes is still missing. Recently, Sudhodanan et al. gave a first overview of XS-Leak at NDSS 2020. We build on their work by presenting the first formal model for XS-Leaks. Our comprehensive analysis of known XSLeaks reveals that all of them fit into this new model. With the help of this formal approach, we (1) systematically searched for new XS-Leak attack classes, (2) implemented XSinator.com, a tool to automatically evaluate if a given web browser is vulnerable to XSLeaks, and (3) systematically evaluated mitigations for XS-Leaks. We found 14 new attack classes, evaluated the resilience of 56 different browser/OS combinations against a total of 34 XS-Leaks, and propose a completely novel methodology to mitigate XS-Leaks.
@inproceedings{knittelXSinatorComFormal2021, title = {{{XSinator}}.Com: {{From}} a {{Formal Model}} to the {{Automatic Evaluation}} of {{Cross-Site Leaks}} in {{Web Browsers}}}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Knittel, Lukas and Mainka, Christian and Niemietz, Marcus and Noß, Dominik and Schwenk, Jörg}, date = {2021-11-15}, publisher = {ACM Press}, location = {Seoul, South Korea (Virtual Conference)}, doi = {10.1145/3460120.3484739}, url = {https://dl.acm.org/doi/10.1145/3460120.3484739}, urldate = {2020-12-08}, addendum = {ACM CCS Best Paper Award,}, eventtitle = {{{CCS}}}, langid = {english}, month = nov, }
CCS
1 Trillion Dollar Refund: How To Spoof PDF Signatures

Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe, and Jörg Schwenk

In ACM SIGSAC Conference on Computer and Communications Security, London, United Kingdom, accepted papers: 149/933 = 16%, Nov 2019

Awarded Abs DOI Bib PDF Website

Awarded with the Best Paper Award on the Cyber Security Awareness Week (CSAW), Applied Research Competition.

The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee the authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures. In this paper, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce three novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF. We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated eight online validation services and found six to be vulnerable. A possible explanation for these results could be the absence of a standard algorithm to verify PDF signatures – each client verifies signatures differently, and attacks can be tailored to these differences. We, therefore, propose the standardization of a secure verification algorithm, which we describe in this paper.
@inproceedings{mladenov1TrillionDollar2019, title = {1 {{Trillion Dollar Refund}}: {{How To Spoof PDF Signatures}}}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Mladenov, Vladislav and Mainka, Christian and {Karsten Meyer zu Selhausen} and Grothe, Martin and Schwenk, Jörg}, date = {2019-11-06}, pages = {1--14}, publisher = {ACM Press}, location = {London, United Kingdom}, doi = {10.1145/3319535.3339812}, url = {https://dl.acm.org/doi/10.1145/3319535.3339812}, urldate = {2020-12-08}, addendum = {CSAW Best Paper Award}, eventtitle = {{{CCS}}}, langid = {english}, month = nov, }
USENIX
Oops... Code Execution and Content Spoofing: The First Comprehensive Analysis of OpenDocument Signatures

Simon Rohlmann, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk

In USENIX Security Symposium, Boston, MA, USA, accepted papers: 256/1492 = 17%, Aug 2022

Awarded Abs Bib PDF Code Slides Website

Awarded with the 2nd place on the Cyber Security Awareness Week (CSAW), Applied Research Competition.

OpenDocument is one of the major standards for interoperable office documents. Supported by office suites like Apache OpenOffice, LibreOffice, and Microsoft Office, the OpenDocument Format (ODF) is available for text processing, spreadsheets, and presentations on all major desktop and mobile operating systems. When it comes to governmental and business use cases, OpenDocument signatures can protect the integrity of a document’s content, for example, for contracts, amendments, or bills. Moreover OpenDocument signatures also protect document’s macros. Since the risks of using macros in documents is well-known, modern office applications only enable their execution if a trusted entity signs the macro code. Thus, the security of ODF documents often depends on the correct signature verification. In this paper, we conduct the first comprehensive analysis of OpenDocument signatures and reveal numerous severe threats. We identified five new attacks and evaluated them against 16 office applications on Windows, macOS, Linux, iOS, Android, and two online services. Our investigation revealed 12 out of 18 applications to be vulnerable for macro code execution, although the application only executes macros signed by trusted entities. For 17 of 18 applications, we could spoof the content in a signed ODF document while keeping the signature valid and trusted. Finally, we showed that attackers possessing a signed ODF could alter and forge the signature creation time in 16 of 18 applications. Our research was acknowledged by Microsoft, Apache OpenOffice, and LibreOffice during the coordinated disclosure.
@inproceedings{rohlmannOopsCodeExecution2022, title = {Oops... {{Code Execution}} and {{Content Spoofing}}: {{The First Comprehensive Analysis}} of {{OpenDocument Signatures}}}, booktitle = {{{USENIX Security Symposium}}}, author = {Rohlmann, Simon and Mainka, Christian and Mladenov, Vladislav and Schwenk, Jörg}, date = {2022-08-10}, pages = {18}, publisher = {USENIX Association}, location = {Boston, MA, USA}, url = {https://www.usenix.org/conference/usenixsecurity22/presentation/rohlmann}, urldate = {2022-05-12}, addendum = {2nd place in the Applied Research Competition (CSAW)}, eventtitle = {{{USENIX}}}, langid = {english}, month = aug, }