id: springboot-env info: name: Detect Springboot Env Actuator author: that_juan_,dwisiswant0,wdahlenb,philippedelteil severity: low description: Sensitive environment variables may not be masked tags: springboot,exposure requests: - method: GET path: - "{{BaseURL}}/env" - "{{BaseURL}}/actuator/env" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "applicationConfig" - "activeProfiles" condition: or - type: word part: body words: - "server.port" - "local.server.port" condition: or - type: word part: header words: - "application/json" - "application/vnd.spring-boot.actuator" - "application/vnd.spring-boot.actuator.v1+json" - "application/vnd.spring-boot.actuator.v2+json" condition: or - type: status status: - 200