Information Disclosure: Springboot Actuator Disclosure of Environment¶

Identifier: springboot_actuator_env

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

The issue arises when Spring Boot apps leave physical keys open by exposing an actuator endpoint that shows sensitive details about the environment and configuration. This can give attackers insights into your system, such as internal settings and credentials, which they might use to launch further attacks. Developers often overlook restricting access to these endpoints or turning them off in production, and that oversight can lead to information leaks that jeopardize the entire application.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  springboot_actuator_env:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.