Spring Boot Environment Actuator Exposed
Spring Boot Environment Actuator Exposed Misconfiguration.
Security Misconfiguration (SM)
How this template works
The API selection filters in this template specify the criteria for selecting the API to be tested. In this case, the filters include the response code range (gte: 200, lt: 300) and the extraction of the URL from the response to be used in the subsequent request.
The execute section defines the type of request to be executed and provides the necessary details for the request. In this template, a single request is executed, and the URL is modified using the extracted URL from the API selection filters. The modified URL is used to access the Actuator endpoint.
The validation section specifies the expected response code and payload for the executed request. In this template, the expected response code is 200, and the response payload should contain either "applicationConfig" or "activeProfiles". Additionally, the response payload should also contain either "server.port" or "local.server.port". These validations ensure that the Actuator endpoint is properly configured and sensitive environment information is not exposed.
Frequently asked questions
What is the purpose of the "Spring Boot Environment Actuator Exposed" test
What is the impact of exposing the Spring Boot Environment Actuator
What category and severity level does the "Spring Boot Environment Actuator Exposed" fall under
What are the tags associated with the "Spring Boot Environment Actuator Exposed" test
What are the references for further information on the "Spring Boot Environment Actuator Exposed" test
What are the validation criteria for the "Spring Boot Environment Actuator Exposed" test