|
1 | 1 | <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> |
2 | 2 | <qhelp> |
3 | 3 | <overview> |
4 | | - <p>Spring Boot is a popular framework that facilitates the development of stand-alone applications |
5 | | -and micro services. Spring Boot Actuator helps to expose production-ready support features against |
6 | | -Spring Boot applications.</p> |
7 | | - |
8 | | - <p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. |
9 | | -Exposing unprotected actuator endpoints through configuration files can lead to information disclosure |
10 | | -or even remote code execution vulnerability.</p> |
11 | | - |
12 | | - <p>Rather than programmatically permitting endpoint requests or enforcing access control, frequently |
13 | | -developers simply leave management endpoints publicly accessible in the application configuration file |
14 | | -<code>application.properties</code> without enforcing access control through Spring Security.</p> |
| 4 | + <p>Spring Boot includes features called actuators that let you monitor and interact with your web |
| 5 | + application. Exposing unprotected actuator endpoints through configuration files can lead to |
| 6 | + information disclosure or even to remote code execution.</p> |
15 | 7 | </overview> |
16 | 8 |
|
17 | 9 | <recommendation> |
18 | | - <p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce |
19 | | -security checks on management endpoints using Spring Security. Otherwise accessing management endpoints |
20 | | -on a different HTTP port other than the port that the web application is listening on also helps to |
21 | | -improve the security.</p> |
| 10 | + <p>Since actuator endpoints may contain sensitive information, carefully consider when to expose them, |
| 11 | + and secure them as you would any sensitive URL. Use Spring Security, which secures actuators by default, |
| 12 | + by configuring <code>spring-boot-starter-security</code> in your application. Alternatively, you can |
| 13 | + define a custom security configuration which only allows users with certain roles to access the endpoints. |
| 14 | + </p> |
22 | 15 | </recommendation> |
23 | 16 |
|
24 | 17 | <example> |
25 | | - <p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, |
26 | | -no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, |
27 | | -security is enforced and only endpoints requiring exposure are exposed.</p> |
| 18 | + <p>The following examples show <code>application.properties</code> configurations that expose sensitive |
| 19 | + actuator endpoints in different Spring Boot versions.</p> |
| 20 | + <sample src="application_bad.properties" /> |
| 21 | + |
| 22 | + <p>The below configurations ensure that sensitive actuator endpoints are not exposed.</p> |
| 23 | + <sample src="application_good.properties" /> |
| 24 | + |
| 25 | + <p>To use Spring Security, which secures actuators by default, add the <code>spring-boot-starter-security</code> |
| 26 | + dependency in your Maven <code>pom.xml</code> file.</p> |
28 | 27 | <sample src="pom_good.xml" /> |
29 | | - <sample src="pom_bad.xml" /> |
30 | | - <sample src="application.properties" /> |
31 | 28 | </example> |
32 | 29 |
|
33 | 30 | <references> |
34 | 31 | <li> |
35 | | - Spring Boot documentation: |
36 | | - <a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Spring Boot Actuator: Production-ready Features</a> |
37 | | - </li> |
38 | | - <li> |
39 | | - VERACODE Blog: |
40 | | - <a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a> |
| 32 | + Spring Boot Reference Documentation: |
| 33 | + <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html">Endpoints</a>. |
41 | 34 | </li> |
42 | 35 | <li> |
43 | 36 | HackerOne Report: |
|
0 commit comments