forked from PortSwigger/BChecks
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added springboot actuators detection checks
- Loading branch information
Showing
14 changed files
with
425 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot autoconfig actuator" | ||
| description: "Springboot autoconfig actuator may expose sensitive information" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/autoconfig", | ||
| "/actuator/autoconfig" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"positiveMatches\"" in {check.response.body} and "\"AuditAutoConfiguration#auditListener\"" in {check.response.body} | ||
| and "\"EndpointAutoConfiguration#beansEndpoint\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot autoconfig actuator found at {potential_path}.` | ||
| remediation: "Ensure autoconfig is not exposed." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot beans actuator" | ||
| description: "Springboot beans actuator may expose sensitive information" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/beans", | ||
| "/actuator/beans" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"type\"" in {check.response.body} and "\"beans\"" in {check.response.body} | ||
| and "\"dependencies\"" in {check.response.body} and "\"scope\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot beans actuator found at {potential_path}.` | ||
| remediation: "Ensure beans is not exposed." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot caches actuator" | ||
| description: "Springboot caches actuator exposed" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/caches", | ||
| "/actuator/caches" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"cacheManagers\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot info caches found at {potential_path}.` | ||
| remediation: "Ensure info caches is not exposed." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot conditions actuator" | ||
| description: "Springboot conditions actuator exposed" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/conditions", | ||
| "/actuator/conditions" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"positiveMatches\"" in {check.response.body} and "\"unconditionalClasses\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot conditions actuator found at {potential_path}.` | ||
| remediation: "Ensure conditions actuator is not exposed." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot configprops actuator" | ||
| description: "Springboot configprops actuator may expose sensitive information" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/configprops", | ||
| "/actuator/configprops" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "org.springframework.boot.actuate" in {check.response.body} and "\"beans\"" in {check.response.body} | ||
| and "\"contexts\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot configprops actuator found at {potential_path}.` | ||
| remediation: "Ensure configprops is not exposed or doesn't contain sensitive information." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot env actuator" | ||
| description: "Springboot env actuator may expose sensitive information" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/env", | ||
| "/actuator/env" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "applicationConfig" in {check.response.body} or "activeProfiles" in {check.response.body} | ||
| and "server.port" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot env actuator found at {potential_path}.` | ||
| remediation: "Ensure env actuator is not exposed or doesn't contain sensitive information." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot health actuator" | ||
| description: "Springboot health actuator exposed" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/health", | ||
| "/actuator/health" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"status\"" in {check.response.body} and "\"diskSpace\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot health actuator found at {potential_path}.` | ||
| remediation: "Ensure health actuator is not exposed." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot info actuator" | ||
| description: "Springboot info actuator exposed" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/info", | ||
| "/actuator/info" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"name\"" in {check.response.body} and "\"version\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot info actuator found at {potential_path}.` | ||
| remediation: "Ensure info actuator is not exposed." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot logfile actuator" | ||
| description: "Springboot logfile actuator exposed and may expose sensitive information" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/logfile", | ||
| "/actuator/logfile" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "[main]" in {check.response.body} and "INFO" in {check.response.body} then | ||
| if "text/plain" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot logfile actuator found at {potential_path}.` | ||
| remediation: "Ensure logfile actuator is not exposed and doesn't contain sensitive information." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot loggers actuator" | ||
| description: "Springboot loggers actuator exposed" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/loggers", | ||
| "/actuator/loggers" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"loggers\"" in {check.response.body} and "\"levels\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot loggers actuator found at {potential_path}.` | ||
| remediation: "Ensure loggers actuator is not exposed." | ||
| end if | ||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot metrics actuator" | ||
| description: "Springboot metrics actuator may expose sensitive information" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/actuator/metrics", | ||
| "/actuator/prometheus" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "mem" in {check.response.body} and "mem.free" in {check.response.body} | ||
| and "processors" in {check.response.body} and "instance.uptime" in {check.response.body} then | ||
| if "text/plain" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot metrics actuator found at {potential_path}.` | ||
| remediation: "Ensure metrics is not exposed or doesn't contain sensitive information." | ||
| end if | ||
| end if | ||
| end if |
30 changes: 30 additions & 0 deletions
30
other/springboot/Springboot scheduledtasks actuator.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| name: "Springboot scheduledtasks actuator" | ||
| description: "Springboot scheduledtasks actuator may expose sensitive information" | ||
| author: "Mateusz Dabrowski (dbrwsky)" | ||
| tags: "actuator", "springboot", "exposure", "informative" | ||
|
|
||
| run for each: | ||
| potential_path = | ||
| "/scheduledtasks", | ||
| "/actuator/scheduledtasks" | ||
|
|
||
| given host then | ||
| send request called check: | ||
| method: "GET" | ||
| path: {potential_path} | ||
|
|
||
| if {check.response.status_code} is "200" then | ||
| if "\"cron\"" in {check.response.body} and "\"fixedDelay\"" in {check.response.body} then | ||
| if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} | ||
| or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then | ||
| report issue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `Springboot scheduledtasks actuator found at {potential_path}.` | ||
| remediation: "Ensure scheduledtasks actuator is not exposed" | ||
| end if | ||
| end if | ||
| end if |
Oops, something went wrong.