id: springboot-metrics

info:
  name: Detect Springboot metrics Actuator
  author: pussycat0x
  severity: low
  description: Additional routes may be displayed
  metadata:
    max-request: 2
  tags: springboot,exposure,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/metrics"
      - "{{BaseURL}}/actuator/metrics"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "mem"
          - "mem.free"
          - "processors"
          - "instance.uptime"
          - "systemload.average"
          - "nonheap.init"
          - "heap.committed"
        condition: and

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100f94e7351f83a4173b61d985bc744fdde968feab546b073329efc49dedcf8e9d502207617ada3825d9d67cd34cad2616e5deeb223c49ec20171e3a51b67b0742a42c8:922c64590222798bb761d5b6d8e72950