SPRING BOOT PENTESTING PART 1- FUNDAMENTALS

What Is SPRING BOOT and Why Is Everyone Talking about It !!!

Spring Boot is a popular Java-based framework used for building web applications. It is widely used because it provides a comprehensive infrastructure support to developers, allowing them to focus on writing business logic instead of configuring infrastructure. One of the main reasons why everyone is talking about Spring Boot is its simplicity. It eliminates the need for developers to write boilerplate code, as it comes with pre-configured settings and dependencies.

This makes it easy to create standalone, production-grade Spring-based applications with minimal effort. Another reason for the popularity of Spring Boot is its versatility. It supports a wide range of databases, including SQL and NoSQL, and provides a flexible configuration for various application types.

Finally, Spring Boot is open source and has a large, active community, which provides support and regular updates. This ensures that developers can easily find solutions to any problems they may encounter. In summary, Spring Boot is a powerful and versatile framework that simplifies the development of web applications. Its simplicity, versatility, and active community make it a popular choice among developers.

Java spring boot is a tool which helps in developing web applications and microservices a much lot easier with spring frame work because of it features:-

• Autoconfiguration
• It has the ability to create standalone configuration

This helps to set up a spring-based application with minimal configuration and setup. Let’s take example if we want to create a web application or rest API then we are going to need lot more dependencies and we have to also make compatible with the versions but with spring boot we can add any started project in POM.xml and it will automatically bring the dependencies and for database side it will autoconfigure it.

Also, Spring framework is so popular in itself as it offers a dependency injection feature that lets object define their own dependencies , so in short, we can add that it provides developers with all the tools and features that need to create applications. But still, it is capable but it requires some time and knowledge to configure the setup and deploy them to sort this upon spring boot helps with its feature of auto configuration. There are many benefits of using spring boot as compare to other java framework like:-

• It has a quick and safe environ meant configuration.
• It reduces the code length and simplifies the development process
• It comes with embedded HTTP servers like Tomcat and jetty to test web applications.
• Furthermore, it also allows easy connection with databases like PostgreSQL l, MySQL ,MongoDB and so on.

Spring boot some use cases:-

• With a spring-boot-starter dependency, you can use the spring-boot-starter utility to create a project, standalone project, or desktop-based project.
• With the Spring Boot Starter Web dependency, you can create Spring MVC Web applications or Spring MVC REST API applications. MVC-based applications use the Model-View-Controller design pattern, which makes them robust and easy to maintain.
• Spring Boot starter web flux, software developers can create reactive web applications. These applications are highly responsive to user actions, which results in a smooth user experience and better handling of complex scenarios

Common Terminologies to identify spring boot:-

The spring boot framework included so many features called actuators or we can call them actuators end points which will allows us to monitor spring and interact with spring application and there are many built-in endpoints and also, we can also add our own .The basic one available are:-

• /Autoconfig – Displays an auto-configuration report showing all auto-configuration candidates and the reason why they ‘were’ or ‘were not’ applied.
• /beans – Displays a complete list of all the Spring beans in your application.
• /configprops – Displays a collated list of all @ConfigurationProperties.
• /dump – Performs a thread dump.
• /env – Exposes properties from Spring’s ConfigurableEnvironment.
• /health – Shows application health information (a simple ‘status’ when accessed over an unauthenticated connection, or full message details when authenticated).
• /info – Displays arbitrary application info.
• /metrics – Shows ‘metrics’ information for the current application.
• /mappings – Displays a collated list of all @RequestMapping paths.
• /shutdown – Allows the application to be gracefully shutdown (not enabled by default).
• /trace – Displays trace information (by default the last few HTTP requests).

Further reading about Sping boot.

Difference in Spring and Spring Boot!!

• Spring is a popular Java-based framework used for building web applications. It provides a wide range of features and tools to help developers create robust and scalable applications. However, one of the drawbacks of using Spring is that it requires developers to write a lot of boilerplate code, such as configuration files and dependencies. This can be time-consuming and can make the development process more complex than necessary.
• Spring Boot, on the other hand, is a framework built on top of Spring that eliminates the need for developers to write boilerplate code. It provides pre-configured settings and dependencies, making it easy to create standalone, production-grade Spring-based applications with minimal effort. Spring Boot also supports a wide range of databases and provides a flexible configuration for various application types.
• In summary, while Spring provides a wide range of features and tools for building web applications, Spring Boot simplifies the development process by eliminating the need for developers to write boilerplate code. This makes it easier and faster for developers to create robust and scalable applications.

Spring Boot Annotations

Spring Boot provides various annotations that help developers to quickly and easily configure and use Spring-based applications. Some of the most commonly used Spring Boot annotations include:

• @SpringBootApplication: This annotation is used to indicate that a class is a Spring Boot application. It combines three other annotations: @Configuration, @EnableAutoConfiguration, and @ComponentScan.
• @RestController: This annotation is used to indicate that a class is a Spring MVC controller that handles RESTful requests.
• @RequestMapping: This annotation is used to map HTTP requests to specific methods in a controller class.
• @Autowired: This annotation is used to inject dependencies into a class.
• @Component: This annotation is used to indicate that a class is a Spring component that should be automatically detected and registered as a bean.
• @Service: This annotation is used to indicate that a class is a Spring service that should be automatically detected and registered as a bean.
• @Repository: This annotation is used to indicate that a class is a Spring repository that should be automatically detected and registered as a bean.
• @Configuration: This annotation is used to indicate that a class contains Spring configuration information.
• @EnableAutoConfiguration: This annotation is used to enable Spring Boot’s auto-configuration feature.
• @EnableWebMvc: This annotation is used to enable Spring MVC’s web features.

These annotations make it easy for developers to quickly configure and use Spring-based applications, reducing the amount of boilerplate code they need to write.

Let’s get brief into the actuators- For the spring boot version 1-1. 4 the actuators or several endpoints are accessible without any authentication, which led to many problems with security . Now starting with version 1.5 all endpoints apart from “/health’, ‘/info’ are considered sensitive but sometimes they are often enabled by application developers.

Now for all the 1x version they are registered under the root URL, but further in 2x they are moved to the “/actuator/” base path.

Some of the actuators support only GET requests and show sensitive configuration data, but a few of them might be interesting for people who are looking for shell commands. As it is a broader topic, we’re going to discuss it in the next Part.

If you enjoyed this blog post , share it with your friends and colleagues! In Next Blog we will discuss Actuators!!!!