From c167a31784ac843467573380774aaff5ba36f0a2 Mon Sep 17 00:00:00 2001 From: dw1 Date: Thu, 2 Jul 2020 23:14:39 +0700 Subject: [PATCH] :wrench: Add path requests & matchers for Springboot Actuators --- .../springboot-detect.yaml | 76 ++++++++++++++----- 1 file changed, 57 insertions(+), 19 deletions(-) diff --git a/security-misconfiguration/springboot-detect.yaml b/security-misconfiguration/springboot-detect.yaml index 80bbdcce12..06b35ea211 100644 --- a/security-misconfiguration/springboot-detect.yaml +++ b/security-misconfiguration/springboot-detect.yaml @@ -2,38 +2,74 @@ id: springboot-actuators info: name: Detect the exposure of Springboot Actuators - author: that_juan_ + author: that_juan_ & dwisiswant0 severity: medium requests: - method: GET path: - - "{{BaseURL}}/trace" - - "{{BaseURL}}/loggers" - - "{{BaseURL}}/autoconfig" - - "{{BaseURL}}/threaddump" - - "{{BaseURL}}/env" - - "{{BaseURL}}/management" - - "{{BaseURL}}/dump" - - "{{BaseURL}}/configprops" - - "{{BaseURL}}/mappings" - - "{{BaseURL}}/auditevents" - - "{{BaseURL}}/beans" - - "{{BaseURL}}/cloudfoundryapplication" - - "{{BaseURL}}//jolokia" - "{{BaseURL}}/actuator" - "{{BaseURL}}/actuator/auditevents" + - "{{BaseURL}}/actuator/auditLog" - "{{BaseURL}}/actuator/beans" - - "{{BaseURL}}/actuator/health" + - "{{BaseURL}}/actuator/caches" - "{{BaseURL}}/actuator/conditions" - "{{BaseURL}}/actuator/configprops" - - "{{BaseURL}}/actuator/env" + - "{{BaseURL}}/actuator/configurationMetadata" - "{{BaseURL}}/actuator/dump" - - "{{BaseURL}}/actuator/threaddump" + - "{{BaseURL}}/actuator/env" + - "{{BaseURL}}/actuator/events" + - "{{BaseURL}}/actuator/exportRegisteredServices" + - "{{BaseURL}}/actuator/features" - "{{BaseURL}}/actuator/flyway" + - "{{BaseURL}}/actuator/health" + - "{{BaseURL}}/actuator/healthcheck" + - "{{BaseURL}}/actuator/heapdump" + - "{{BaseURL}}/actuator/httptrace" + - "{{BaseURL}}/actuator/hystrix.stream" + - "{{BaseURL}}/actuator/info" - "{{BaseURL}}/actuator/integrationgraph" - - "{{BaseURL}}//actuator/management" - - "{{BaseURL}}//actuator/jolokia" + - "{{BaseURL}}/actuator/jolokia" + - "{{BaseURL}}/actuator/liquibase" + - "{{BaseURL}}/actuator/logfile" + - "{{BaseURL}}/actuator/loggers" + - "{{BaseURL}}/actuator/loggingConfig" + - "{{BaseURL}}/actuator/management" + - "{{BaseURL}}/actuator/mappings" + - "{{BaseURL}}/actuator/metrics" + - "{{BaseURL}}/actuator/refresh" + - "{{BaseURL}}/actuator/registeredServices" + - "{{BaseURL}}/actuator/releaseAttributes" + - "{{BaseURL}}/actuator/resolveAttributes" + - "{{BaseURL}}/actuator/scheduledtasks" + - "{{BaseURL}}/actuator/sessions" + - "{{BaseURL}}/actuator/shutdown" + - "{{BaseURL}}/actuator/springWebflow" + - "{{BaseURL}}/actuator/sso" + - "{{BaseURL}}/actuator/ssoSessions" + - "{{BaseURL}}/actuator/statistics" + - "{{BaseURL}}/actuator/status" + - "{{BaseURL}}/actuator/threaddump" + - "{{BaseURL}}/actuator/trace" + - "{{BaseURL}}/auditevents" + - "{{BaseURL}}/autoconfig" + - "{{BaseURL}}/beans" + - "{{BaseURL}}/cloudfoundryapplication" + - "{{BaseURL}}/configprops" + - "{{BaseURL}}/dump" + - "{{BaseURL}}/env" + - "{{BaseURL}}/health" + - "{{BaseURL}}/heapdump" + - "{{BaseURL}}/hystrix.stream" + - "{{BaseURL}}/info" + - "{{BaseURL}}/jolokia" + - "{{BaseURL}}/jolokia/list" + - "{{BaseURL}}/loggers" + - "{{BaseURL}}/management" + - "{{BaseURL}}/mappings" + - "{{BaseURL}}/metrics" + - "{{BaseURL}}/threaddump" + - "{{BaseURL}}/trace" matchers: - type: regex part: body @@ -44,6 +80,8 @@ requests: - "system" - "database" - "cron" + - "reloadByURL" + - "JMXConfigurator" condition: or - type: status status: