Skip to content

Information Disclosure: Springboot Actuator Heapdump

Identifier: springboot_actuator_heapdump

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Spring Boot Actuator heapdump endpoint exposure allows attackers to generate memory dumps containing sensitive data like passwords, class names, and configuration settings, potentially exposing application secrets and structure.

How we test: We attempt to access Spring Boot Actuator heapdump endpoints and analyze responses to detect if memory dumps can be generated and downloaded. We check if heapdump endpoints are accessible and if they allow unauthenticated or unauthorized access to application memory snapshots.

Configuration

Example

Example configuration:

---
security_tests:
  springboot_actuator_heapdump:
    skip: false

Reference

skip

Type : boolean

Skip the test if true.