Spring

Spring Boot Exploits

CVE-2024-38819

LogoGitHub - masa42/CVE-2024-38819-POCGitHub

SSTI

LogoExploiting SSTI in a Modern Spring Boot Application (3.3.4) / modzeromod0

Spring Boot Actuator

LogoExploring Spring Boot Actuator Misconfigurations | Wiz BlogWiz.io

heapdump endpoint is designed to capture the current state of the Java heap, making it a valuable tool for diagnosing memory issues. However, if credentials such as passwords, tokens, cloud keys, or other secrets are loaded into the memory of a Java application’s JVM during its runtime, these might be included in the heap dump.

Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default. 

curl 'http://localhost:8080/actuator/heapdump' -O 

Look for secrets:

# AWS Access and Secret Keys
strings heapdump | grep -B 2 -A 2 "AKIA"

# JWT Tokens
strings heapdump | grep -B 2 -A 2 "eyJ"

# Cookies and Session Tokens
strings heapdump | grep -E "^Host:\s+\S+$" -C 10

CVE-2022-22947 - RCE

  • SSRF

SSRF

Access /gateway/routes or /actuator/gateway/routes

If the application responds with a 200 status code and contains fields like predicate or route_id in JSON format, it indicates that the endpoint is enabled and exposed to the internet.

Craft a malicious route that forwards requests to the AWS Instance Metadata Service (IMDS) accessible at http://169.254.169.254

Refresh to update the gateway's routing configuration

SSRF / RCE

  • RCE

POST request to /gateway/routes/new_route_name to create a new route. The arguments sent in the body of this request are vulnerable to code injection.

Refresh to add teh new route

Env endpoint

/actuator/env endpoint is specifically designed to expose details about the application’s runtime environment. When accessing the env endpoint, it returns a structured JSON response displaying configuration properties and environment variables used by the application.

Up until version 1.5, this endpoint was publicly exposed without authentication by default.

Other endpoints

Other actuator endpoints such as /metrics, /threaddump and /scheduledtasks can also expose sensitive data that could be valuable for attackers. To safeguard your application, it is recommended to limit access to the actuator’s endpoints and ensure that endpoint are not unnecessarily publicly exposed without authentication.

The following example shows the http.client.requests metric exposing sensitive details including an internal IP address, a potentially sensitive "session" endpoint, and request patterns.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousSplunkNextSQLPad

Last updated