Skip to content

Configuration: Springboot Actuator Shutdown Misconfiguration

Identifier: springboot_actuator_shutdown

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

Spring Boot Actuator includes management endpoints, one of which lets you shut the application down gracefully. The issue arises when this shutdown endpointor other sensitive ones that expose internal detailsis unintentionally left accessible over the network in a production environment. When that happens, an attacker could trigger a shutdown, effectively causing a denial of service. Its a reminder that default configurations or misconfigured security rules can expose dangerous functionality, putting your application at risk of disruption or even further exploitation if other sensitive endpoints are similarly exposed.

Configuration

Example

Example configuration:

---
security_tests:
  springboot_actuator_shutdown:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.