Skip to content

Information Disclosure: Springboot Actuator Heapdump

Identifier: springboot_actuator_heapdump

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

The vulnerability happens when the actuator endpoint for generating heap dumps is left open and accessible without proper authorization. A heap dump is basically a snapshot of all the data in a running application, which means it can contain sensitive details like passwords, class names, and configuration settings. If an attacker gets access to this information, they could uncover secrets about your application's structure and behavior, making it easier to craft targeted attacks. This issue usually arises from misconfigurations or neglecting to secure these debug and management endpoints. If left unchecked, it exposes your application to significant risks including data breaches and unauthorized system manipulation.

Configuration

Example

Example configuration:

---
security_tests:
  springboot_actuator_heapdump:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.