Spring Boot Actuators
Last updated
Was this helpful?
Last updated
Was this helpful?
The Spring Boot Framework includes a number of features called actuators to help you monitor and manage your web application when you push it to production. Intended to be used for auditing, health, and metrics gathering, they can also open a hidden door to your server when misconfigured.
The following Actuator endpoints could potentially have security implications leading to possible vulnerabilities:
/dump - displays a dump of threads (including a stack trace)
/trace - displays the last several HTTP messages (which could include session identifiers)
/logfile - outputs the contents of the log file
/shutdown - shuts the application down
/mappings - shows all of the MVC controller mappings
/env - provides access to the configuration environment
/actuator/env
/restart - restarts the application
/heapdump - Builds and returns a heap dump from the JVM used by our application
For Spring 1x, they are registered under the root URL, and in 2x they moved to the "/actuator/" base path.
We may use the wordlist from SecList to fuzz actuators URLs
Spring Boot 2.x uses json instead of x-www-form-urlencoded for property change requests via the env endpoint
If the Jolokia Library is in the target application classpath, it is automatically exposed by Spring Boot under the /jolokia actuator endpoint. Jolokia allows HTTP access to all registered MBeans and is designed to perform the same operations you can perform with JMX. It is possible to list all available MBeans actions using the URL:
Routes can provide access to hidden or internal endpoints, which can be misconfigured or vulnerable. You can fetch all available routes via GET-request to /actuator/gateway/routes.
Displays HTTP trace information (by default, the last 100 HTTP request-response exchanges). It may disclose details about requests of internal applications as well as user cookies and JWT tokens.
trace requires an HttpTraceRepository bean.
exposes properties from Spring's ConfigurableEnvironment. Exposition of this endpoint can lead to RCE or sensitive information leaks.
Information returned by the env and configprops endpoints can be somewhat sensitive so keys matching a certain pattern are (replaced by *) by default. However, below you can find several ways to retrieve these values
You can gain RCE by first setting up a website that responds with a malicious XStream payload using
ogging.config can lead to RCE via Logback JNDI, Check for the full process of hosting LDAP/RMI rogue server. The exploit is similar.
spring.datasource.url is database connection string that is used only for the first connection. You can chain it with JDBC vulnerability in MySQL to gain RCE. The vulnerability requires the following conditions:
Create a payload with
Use to host payload.ser
Host payload.jar with the code that will be executed, check and for how to prepare the payload
Prepare a Java code for execution, you can reuse the . Compile it such a way that it is compatible with earlier JDK versions:
Set up LDAP server, use to set up the server:
Modify the target address, RMI address, port and other information in the script according to the actual situation , and then run it on the server you control.
Prepare a Java code for execution, you can reuse the . Compile it such a way that it is compatible with earlier JDK versions:
Set up RMI server, use to set up the server:
The we wan send the payload by editing the target address, RMI address, port and other information in the script according to the actual situation , and then run it on the server you control.
The actuator endpoint lets you monitor and interact with a Spring Cloud Gateway application. In other words, you can define routes for the application and use gateway actuator to trigger requests according to these routes.
If do not require administrative permissions. The next request will create a route to localhost:
Applications using Spring Cloud Gateway in the version prior to 3.1.0 and 3.0.6, are vulnerable to that leads to a attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
Prepare a Java code for execution, you can reuse the . Compile in such a way that it is compatible with earlier JDK versions:
Host compiled JNDIObject.class at http://attacker-website.com/ and Set up a LDAP service with :
displays a collated list of all @RequestMapping paths.
allows retrieval and deletion of user sessions from a Spring Session-backed session store. Requires a Servlet-based web application using Spring Session.
lets an application be gracefully shutdown. Disabled by default.
returns a hprof heap dump file that may contain sensitive data, such as env properties. To retrieve data from a prof heap dump use tool, check .
returns the contents of the logfile (if logging.file.name or logging.file.path properties have been set). Supports the use of the HTTP Range header to retrieve part of the log file's content.
version before 0.2.13 is vulnerable to path traversal that allows you to retreive arbitrary files.
performs a thread dump from the application's JVM.
