Skip to content

Information Disclosure: Springboot Actuator Disclosure of Trace

Identifier: springboot_actuator_trace

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

Spring Boot Actuator can expose sensitive details about your application if it's not properly secured. By default, certain endpoints might share information like environment settings, configuration details, and traces of recent requests that include internal workings of your app. If attackers get access to this data, they could learn about system details and potentially identify weaknesses to exploit. Developers often forget to restrict these endpoints in production settings, leaving their systems open to risk.

Configuration

Example

Example configuration:

---
security_tests:
  springboot_actuator_trace:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.