Spring Boot Actuators
Spring Boot Actuators are a Spring Boot module to monitor and manage applications. Sprint Boot applications can be deployed to multiple servers such as Apache Tomcat.
It's commonly exposed at the /actuator
endpoint. Querying this endpoint will return a list all available endpoints.
Most endpoints are returning censored data.
-
/actuator/mappings
: can be used to find URI -
/actuator/env
: censored configuration data - ...
The /actuator/sessions
is returning existing sessions. We can use it to steal another user session.
π» To-do π»
Stuff that I found, but never read/used yet.
- See also: JAR Reverse Engineering
-
/beans.xml
(Spring configuration metadata) -
cat BOOT-INF/classes/application.properties | grep datasource
- We can easily recognize spring from the 404 page (
Whitelabel error page
or format) -
/actuators
is for v2, in v1 they are at the root and not censored while there is no database configuration