Max Maass

@hacksilon

Building and breaking software before other people do :)

Hamburg, GermanyJoined August 2022

About

Security Expert at iteratec. I break your software before other people do, and then help you secure it afterwards :).

Available for

Nothing here yet.

Max Maass's blogs

Max' Musings on Securityblog.maass.xyz5 posts

Articles Threads Comments

Recently published

blog.maass.xyz

Please Stop Calling GenAI "Useless"

A common shorthand I am seeing in criticisms of Generative AI technologies is that GenAI / LLMs are “useless”. This shows up again and again, especially in hot takes on Mastodon, and sometimes from people whose professional work I deeply respect. Whi...

Mar 6, 202515 min read

blog.maass.xyz

Encryption Isn't Enough: Compromising a Payment Processor using Math

During a security engagement with my employer, iteratec, I found and reported a security issue that allowed me to completely compromise the internal customer service frontend of a payment processor, which would have let us steal customer information ...

Feb 26, 202517 min read

blog.maass.xyz

Spring Actuator Security, Part 3: Finding Exposed Actuators using Dynamic Testing with ffuf

This is part three of a series on the security implication of Spring Actuators. I recommend having read at least the first part to understand the context. In the previous article, we discussed how you can leverage static code analysis using semgrep ...

Dec 9, 20228 min read

blog.maass.xyz

Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with semgrep

In the first part of this series, we have discussed the risks inherent in exposing the Actuator functionality of the Spring framework. If you haven't read that part yet, I recommend that you do so before reading this article. In this article, we wi...

Sep 14, 202213 min read

blog.maass.xyz

Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators

Spring is a set of frameworks for developing Applications in Java. It is widely used, and so it is not unusual to encounter it during a security audit or penetration test. One of its features that I recently encountered during a whitebox audit is act...

Sep 12, 202210 min read

Max Maass

About

Available for

Max Maass's blogs

Recently published

Please Stop Calling GenAI "Useless"

Encryption Isn't Enough: Compromising a Payment Processor using Math

Spring Actuator Security, Part 3: Finding Exposed Actuators using Dynamic Testing with ffuf

Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with semgrep

Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators

Search Hashnode

Max Maass

About

Available for

Max Maass's blogs

Recently published

Please Stop Calling GenAI "Useless"

Encryption Isn't Enough: Compromising a Payment Processor using Math

Spring Actuator Security, Part 3: Finding Exposed Actuators using Dynamic Testing with ffuf

Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with semgrep

Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators