Spring Actuators

Spring Actuators are endpoints in Spring Boot applications that expose operational information. When improperly secured, they can leak sensitive data, allow configuration changes, or enable remote code execution.

Common Actuator Endpoints

/actuator/health      # Application health status
/actuator/info        # Application information
/actuator/env         # Environment variables (SENSITIVE!)
/actuator/configprops # Configuration properties
/actuator/mappings    # URL mappings
/actuator/beans       # All Spring beans
/actuator/heapdump    # Memory dump (CRITICAL!)
/actuator/threaddump  # Thread dump
/actuator/loggers     # Logger configuration
/actuator/shutdown    # Shutdown application (if enabled)

Sensitive Information Exposure

# /actuator/env can expose:
{
  "propertySources": [{
    "properties": {
      "spring.datasource.password": {"value": "db_password"},
      "aws.secretKey": {"value": "AKIAIOSFODNN7..."}
    }
  }]
}

# /actuator/heapdump contains:
# - Database credentials
# - Session tokens
# - API keys in memory

Code Execution Vectors

• Modify loggers to write to arbitrary files
• Change configuration via /env endpoint
• Spring Cloud: reload configuration
• Jolokia endpoint: JMX exploitation

Securing Actuators

# application.properties
management.endpoints.web.exposure.include=health,info
management.endpoint.env.enabled=false
management.endpoint.heapdump.enabled=false

# Require authentication
management.endpoints.web.base-path=/management
# + Spring Security configuration

See Also

• SpEL Injection
• API Key Exposure