The Spring Of Secrets

Exploring Spring Actuators: Features, Risks, and Best Practices

Spring Boot Actuator is a powerful library that provides production-ready monitoring and management features for your Spring Boot application. It exposes endpoints for health checks, metrics, environment properties, and more, enabling developers and operations teams to gain valuable insights into an application's performance and behavior. However, with great power comes great responsibility—misconfigured or improperly secured actuators can expose sensitive data, leaving your application vulnerable to security threats.

In this blog post, we'll delve into the key features of Spring Actuator, the dangers of exposing actuator endpoints, and best practices to mitigate risks while leveraging its capabilities.

What is Spring Boot Actuator?

Spring Boot Actuator provides out-of-the-box endpoints to monitor and manage your application. These endpoints can reveal critical information such as:

Health: GET /actuator/health Provides details about the application's health, including database connectivity and other dependencies.

Metrics: GET /actuator/metrics Exposes various performance metrics like JVM memory usage, HTTP request counts, and thread activity.

Environment: GET /actuator/env Lists environment properties and configuration values.

Thread Dump: GET /actuator/threaddump Shows the current thread state for debugging purposes.

Mappings: GET /actuator/mappings Displays all the URL mappings in the application.

The Dangers of Misconfigured Actuator Endpoints

Actuator endpoints, if left unsecured, can provide attackers with a goldmine of information, making it easier to exploit vulnerabilities. Here are some key risks:

1. Sensitive Information Leakage The /env endpoint can reveal sensitive properties like database credentials, API keys, and access tokens if not properly masked. Similarly, the /metrics endpoint could expose usage patterns or performance bottlenecks.

2. Exploitation of Internal Details The /mappings and /beans endpoints provide details about internal application structure, which attackers can use to craft targeted attacks.

3. Denial of Service (DoS) Attacks The /threaddump and /heapdump endpoints can be resource-intensive, potentially allowing attackers to overload your system by repeatedly requesting these endpoints.

4. Potential for Arbitrary Execution Endpoints like /loggers allow modifying logging levels at runtime. While this is useful for debugging, it can also be exploited to generate excessive logs or hide malicious activity.

Best Practices for Securing Actuator Endpoints

1. Enable Only Required Endpoints By default, Spring Actuator enables multiple endpoints. Use the management.endpoints.enabled-by-default property to disable all endpoints and selectively enable only those you need.

management:
  endpoints:
    enabled-by-default: false
    web:
      exposure:
        include: health,info

2. Secure Access with Authentication and Authorization Use Spring Security to restrict access to actuator endpoints. For example, require authentication and assign specific roles to access certain endpoints.

@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll()
            .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ADMIN")
            .and()
            .httpBasic();
    }
}

3. Mask Sensitive Data Use the management.endpoint.env.keys-to-sanitize property to mask sensitive keys in the /env endpoint.

management:
  endpoint:
    env:
      keys-to-sanitize: password, secret, token, key

4. Use Secure Protocols Always serve actuator endpoints over HTTPS to prevent data interception in transit.

5. Restrict Exposure in Production Limit actuator endpoints' exposure to internal networks. Use firewalls or API gateways to block external access to sensitive endpoints.

6. Monitor Endpoint Usage Track who accesses actuator endpoints and from where. Implement logging and monitoring tools to detect suspicious activity.

7. Keep Dependencies Updated Ensure that you're using the latest version of Spring Boot Actuator and related dependencies to mitigate known vulnerabilities.

Exploiting Spring Boot Actuator

• to exploit spring boot actuators we need two sensitive endpoints /actuator/env && /actuator/heapdump
• do as flows; to download the required files....

wget http://{host}:{optional_port}/{optional_path}/actuator/env

wget http://{host}:{optional_port}/{optional_path}/actuator/heapdump

• now we do sort the env to view it clearly

cat env | jq .

• now to search for redacted values

strings heapdump | grep -i -n "mhhh"

strings heapdump | sed -n '59p'

Conclusion

Spring Boot Actuator is an indispensable tool for managing and monitoring Spring Boot applications. However, it must be used with caution. Proper configuration, secure access controls, and regular monitoring are essential to prevent exposing your application to unnecessary risks. By following the best practices outlined above, you can confidently leverage Spring Actuator's powerful features without compromising security.

Demo

Video Demo :: https://www.youtube.com/watch?v=y9GCfg6xLSs

1. clone and cd into demo repo

2. enumerate application (run dir or file fuzzing)

3. request actuator path

4. download / parse env file

5. download and parse the heapdump

6. get your env keys

Contacts

@github @twitter @LinkedIn @Intigriti @hackerone_old