daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7306 from j4vaovo/patch-39 

Update springboot-heapdump.yaml
patch-1
Dhiyaneshwaran 2023-06-14 13:04:41 +05:30 committed by GitHub
parent 007b8d593f 9b7dbac51f
commit c2b15f44d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 35 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
http/misconfiguration/springboot/springboot-heapdump.yaml
View File

@ -4,39 +4,48 @@ info:
name: Spring Boot Actuator - Heap Dump Detection name: Spring Boot Actuator - Heap Dump Detection
author: that_juan_,dwisiswant0,wdahlenb author: that_juan_,dwisiswant0,wdahlenb
severity: critical severity: critical
description: A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests. description: |
A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests.
reference: reference:
- https://github.com/pyn3rd/Spring-Boot-Vulnerability - https://github.com/pyn3rd/Spring-Boot-Vulnerability
tags: springboot,exposure
metadata: metadata:
max-request: 2 max-request: 3
tags: springboot,exposure
variables:
str: "{{rand_base(6)}}"
http: http:
- method: GET - raw:
path: - |
- "{{BaseURL}}/heapdump" GET /{{str}} HTTP/1.1
- "{{BaseURL}}/actuator/heapdump" Host: {{Hostname}}
- |
GET /heapdump HTTP/1.1
Host: {{Hostname}}
- |
GET /actuator/heapdump HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
max-size: 2097152 # 2MB - Max Size to read from server response max-size: 2097152 # 2MB - Max Size to read from server response
matchers-condition: and matchers-condition: or
matchers: matchers:
- type: dsl
dsl:
- "!contains(hex_encode(body_1), '1f8b080000000000')"
- "contains(hex_encode(body_2), '1f8b080000000000')"
condition: and
- type: binary - type: dsl
part: body dsl:
binary: - "!contains(hex_encode(body_1), '1f8b080000000000')"
- "4a4156412050524f46494c45" # "JAVA PROFILE" - "contains(hex_encode(body_3), '1f8b080000000000')"
- "4850524f46" # "HPROF" condition: and
- "1f8b080000000000" # Gunzip magic byte
- type: dsl
dsl:
- "contains(hex_encode(body_2), '4a4156412050524f46494c45') || contains(hex_encode(body_2), '4850524f46')"
- "contains(hex_encode(body_3), '4a4156412050524f46494c45') || contains(hex_encode(body_3), '4850524f46')"
condition: or condition: or
- type: word
part: header
words:
- "gzip"
case-insensitive: true
negative: true
- type: status
status:
- 200