search
githubEdit

Spring Boot Actuators

Spring Boot Actuators are endpoints that expose operational information about running Spring applications. When misconfigured (exposed without authentication), they can leak sensitive data and enable various attacks.

hashtag
Detection

hashtag
Whitelabel Error Page

When browsing to a non-existent endpoint, Spring Boot displays a generic error:

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Jan 22 02:23:23 UTC 2026
There was an unexpected error (type=Not Found, status=404).

hashtag
Using Nuclei

nuclei -u http://target.htb/ -rl 75 -c 8 -as

# Output showing Spring Boot detection:
[spring-detect] [http] [info] http://target.htb/error
[springboot-actuator:available-endpoints] [http] [info] http://target.htb/actuator ["health-path","mappings","self","sessions","beans","env","env-toMatch","health"]
[springboot-beans] [http] [low] http://target.htb/actuator/beans
[springboot-env] [http] [low] http://target.htb/actuator/env
[springboot-mappings] [http] [low] http://target.htb/actuator/mappings

hashtag
Common Actuator Endpoints

Endpoint
Description
Risk

/actuator

Lists all available endpoints

Info

/actuator/env

Environment variables, may contain credentials

High

/actuator/sessions

Active sessions with session IDs

Critical

/actuator/beans

All Spring beans in the application

Medium

/actuator/mappings

All @RequestMapping paths

Medium

/actuator/health

Application health status

Low

/actuator/heapdump

JVM heap dump (may contain secrets)

Critical

/actuator/logfile

Application log file

Medium

/actuator/trace or /actuator/httptrace

HTTP request traces

High

/actuator/shutdown

Shuts down the application (POST)

Critical

hashtag
Enumeration

hashtag
List Available Endpoints

Example output:

hashtag
Check for Sensitive Endpoints

hashtag
Session Hijacking via /actuator/sessions

This is one of the most impactful findings. The sessions endpoint exposes active session IDs and usernames.

hashtag
Get Active Sessions

Example output:

hashtag
Hijack the Session

  1. Copy a valid session ID (e.g., DDC687C0B1996D7E8F289239EED8A7CA)

  2. Open browser DevTools > Application > Cookies

  3. Find the session cookie (often JSESSIONID for Spring Boot)

  4. Replace the value with the stolen session ID

  5. Refresh the page - you're now authenticated as that user!

Alternatively, use curl:

hashtag
Finding Hidden Endpoints via /actuator/mappings

The mappings endpoint reveals all application routes, including those not publicly linked.

Example findings:

This reveals a /executessh endpoint that accepts POST requests - potentially vulnerable to command injection!

hashtag
Extracting Credentials from /actuator/env

Environment variables may contain database passwords, API keys, etc.:

Look for properties like:

  • spring.datasource.password

  • spring.datasource.username

  • spring.datasource.url

  • Any property with "password", "secret", "key", "token"

Note: Sensitive values are often masked with ******, but can sometimes be recovered from heapdump.

hashtag
Heapdump Analysis

Download and analyze for credentials:

hashtag
Extracting Credentials from JAR Files

If you gain shell access to a Spring Boot server, check for embedded credentials:

Example application.properties:

hashtag
References

  • https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/spring-actuators.html

  • https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

PreviousWebminNextjs2py

Last updated