Create springboot-detect

detects sensitive actuator endpoints
patch-1
JPMartinezz 2020-04-12 14:55:17 -07:00 committed by GitHub
parent eaa308ce63
commit 2e6b821d61
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 55 additions and 0 deletions

View File

@ -0,0 +1,55 @@
id: springboot-actuators
info:
name: Detect the exposure of Springboot Actuators
author: that_juan_
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/trace"
- "{{BaseURL}}/loggers"
- "{{BaseURL}}/autoconfig"
- "{{BaseURL}}/heapdump"
- "{{BaseURL}}/threaddump"
- "{{BaseURL}}/env"
- "{{BaseURL}}/management"
- "{{BaseURL}}/dump"
- "{{BaseURL}}/configprops"
- "{{BaseURL}}/mappings"
- "{{BaseURL}}/auditevents"
- "{{BaseURL}}/beans"
- "{{BaseURL}}/jolokia"
- "{{BaseURL}}/cloudfoundryapplication"
- "{{BaseURL}}/jolokia"
- "{{BaseURL}}/hystrix.stream"
- "{{BaseURL}}/actuator"
- "{{BaseURL}}/actuator/auditevents"
- "{{BaseURL}}/actuator/beans"
- "{{BaseURL}}/actuator/conditions"
- "{{BaseURL}}/actuator/configprops"
- "{{BaseURL}}/actuator/env"
- "{{BaseURL}}/actuator/heapdump"
- "{{BaseURL}}/actuator/threaddump"
- "{{BaseURL}}/actuator/jolokia"
- "{{BaseURL}}/actuator/hystrix.stream"
- "{{BaseURL}}/actuator/flyway"
- "{{BaseURL}}/actuator/integrationgraph"
- "{{BaseURL}}//actuator/management"
matchers:
- type: word
words:
- 'method'
- 'spring'
- ''
condition: or
- type: status
status:
- 200
- type: word
words:
- 'application/json'
- 'attachment'
condition: or
part: header