Marius Musch started his PhD in October 2017 and successfully defended in November 2022. His field of research is web application security with a focus on client-side attacks and large-scale studies. He left TU Braunschweig in March 2023.
m̶.̶m̶u̶s̶c̶h̶[̶a̶t̶]̶t̶u̶-̶b̶r̶a̶u̶n̶s̶c̶h̶w̶e̶i̶g̶.̶d̶e̶
Wemby’s Web: Hunting for Memory Corruption in WebAssembly
Oussama Draissi, Tobias Cloosters, David Klein, Michael Rodler, Marius Musch, Martin Johns, and Lucas Davi
34th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), 2025
Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting
Robin Kirchner, Jonas Möller, Marius Musch, David Klein, Konrad Rieck, and Martin Johns
Proc. of the 33th USENIX Security Symposium, 2024.
*Distinguished Paper Award Winner*
Advanced Attack and Vulnerability Scanning for the Modern Web
Marius Musch
PhD thesis, 2022
Accept All Exploits: Exploring the Security Impact of Cookie Banners
David Klein*, Marius Musch*, Thomas Barber, Moritz Kopmann, and Martin Johns
Proc. of the 37th Annual Computer Security Applications Conference (ACSAC), 2022
No Keys to the Kingdom Required: A Comprehensive Investigation of Missing Authentication Vulnerabilities in the Wild
Manuel Karl*, Marius Musch*, Guoli Ma, Martin Johns, and Sebastian Lekies
Proc. of the 22nd ACM Internet Measurement Conference (IMC), 2022
Server-Side Browsers: Exploring the Web’s Hidden Attack Surface
Marius Musch, Robin Kirchner, Max Boll, and Martin Johns
Proc. of the 17th ACM Asia Conference on Computer and Communications Security (ASIA CCS), 2022.
U Can’t Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild
Marius Musch and Martin Johns
Proc. of the 30th USENIX Security Symposium, 2021.
Who’s Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI
Marius Steffens, Marius Musch, Martin Johns, and Ben Stock
Network and Distributed System Security Symposium (NDSS), 2021.
Thieves in the Browser: Web-based Cryptojacking in the Wild
Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck
Proc. of 14th Int. Conference on Availability, Reliability and Security (ARES), 2019.
*Best Paper Award Runner-up*
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices
Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, and Martin Johns
Proc. of 14th ACM Asia Conference on Computer and Communications Security (ASIACCS), 2019.
New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild
Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck
Proc. of 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2019.
*Best Paper Award Runner-up*
Towards an Automatic Generation of Low-Interaction Web Application Honeypots
Marius Musch, Martin Härterich, and Martin Johns
Proc. of 13th Int. Conference on Availability, Reliability and Security (ARES), 2018.
Web-based Cryptojacking in the Wild
Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck
Technical report, arXiv:1808.09474, 2018.
* Denotes co-authorship with equal contribution
Server-Side Browsers: Exploring the Web’s Hidden Attack Surface [Slides]
RuhrSec, 12.05.2023, Bochum, Germany
Server-Side Browsers: Exploring the Web’s Hidden Attack Surface [Slides]
OWASP Global AppSec, 17.11.2022, San Francisco, USA
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices [Video]
OWASP Global AppSec, 27.09.2019, Amsterdam, The Netherlands
The Now and the Future of Malicious WebAssembly [Video]
OWASP Global AppSec, 26.09.2019, Amsterdam, The Netherlands
Web-based Cryptojacking in the Wild [Video, Slides]
35C3, 29.12.2018, Leipzig, Germany
Chameleon: Automatic Generation of Low-Interaction Web Honeypots
German OWASP Day, 14.11.2017, Essen, Germany
| Year | Degree | Title |
|---|---|---|
| 2021 | Bachelor | On the Feasibility of In- and Out-of-Band JavaScript Anti-Debugging Detection and Prevention |
| 2021 | Bachelor | Capability Analysis of JavaScript Anti-Bot Implementations in the Wild |
| 2020 | Bachelor | Performant and Reliable Detection of JavaScript Libraries |
| 2020 | Bachelor | An Analysis of the State of Electron Security in the Wild |
| 2020 | Master | Detecting and Fingerprinting Server-Side Requests |
| 2020 | Bachelor | Towards Automatic Generation of Universal XSS Payloads |
| Year | Conference |
|---|---|
| 2021 | SecWeb |
| Year | Conference |
|---|---|
| 2022 | S&P, Euro S&P, CODASPY, ACSAC |
| 2021 | WWW, ACSAC, CODASPY, SAC, ARES |
| 2020 | WWW, Euro S&P, ACSAC, CODASPY, SAC, ARES |
| 2019 | ACSAC, CODASPY, SAC, ICWE |
| 2018 | Euro S&P, ACSAC, CODASPY, SAC |
| Year | Semester | Name |
|---|---|---|
| 2022 | Winter | Programming 1, Hacklab |
| 2022 | Summer | Web Security, Seminar |
| 2021 | Winter | Hacklab, Seminar |
| 2021 | Summer | Web Security, SEP, Seminar |
| 2020 | Winter | Programming 1, Seminar |
| 2020 | Summer | Seminar |
| 2019 | Winter | Seminar |
| 2018 | Summer | Programming 1, SEP, Seminar |