Skip to content

Information Disclosure: Springboot Actuator Disclosure of Thread Dump

Identifier: springboot_actuator_dump

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

Sometimes developers forget to properly secure built-in management features provided by frameworks like Spring Boot. One risk is the thread dump endpoint in Spring Boot Actuator. If this endpoint is left open or weakly protected, attackers could access detailed info on how the applications threads are running, like which methods are being executed and where potential bottlenecks or issues are occurring. This data can help bad actors figure out how to exploit hidden weaknesses in the app or learn sensitive internal mechanics that they shouldnt know. A common mistake is relying on default settings that might expose this sensitive info in production, so it's important to limit access or disable these debug endpoints when you're running in a live environment.

Configuration

Example

Example configuration:

---
security_tests:
  springboot_actuator_dump:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.