Spring Boot Actuators ¶

Spring Boot Actuators are a Spring Boot module to monitor and manage applications. Sprint Boot applications can be deployed to multiple servers such as Apache Tomcat.

It's commonly exposed at the /actuator endpoint. Querying this endpoint will return a list all available endpoints.

Most endpoints are returning censored data.

• /actuator/mappings: can be used to find URI
• /actuator/env: censored configuration data
• ...

The /actuator/sessions is returning existing sessions. We can use it to steal another user session.

• See also: JAR Reverse Engineering
• /beans.xml (Spring configuration metadata)
• cat BOOT-INF/classes/application.properties | grep datasource
• We can easily recognize spring from the 404 page (Whitelabel error page or format)
• /actuators is for v2, in v1 they are at the root and not censored while there is no database configuration