SPRING BOOT PENTESTING PART 2- ACTUATORS
Actuators, Why All the Fuss About IT ? Here is the Actuators Spring Boot Guide From the Best in the Business!!!.
A Guide to Actuators from Start to Finish
Actuators are a powerful tool for monitoring and managing Spring Boot applications. They provide real-time data about the health and performance of your application, making it easy to identify and troubleshoot issues. In this guide, we will cover everything you need to know about Actuators, from what they are and how they work to how to configure and use them in your Spring Boot application.
What Are Actuators?
Actuators are a set of endpoints provided by Spring Boot that can be used to monitor and manage your application. They provide real-time data about the health and performance of your application, including metrics such as request processing time and memory usage. Actuators can be accessed through a web browser or command-line tools, making it easy to monitor and manage your application from anywhere.
How Do Actuators Work?
Actuators work by exposing endpoints that provide information about your application. These endpoints can be used to monitor the health and performance of your application, as well as to manage your application. For example, you can use Actuators to shut down your application gracefully or to view the current configuration of your application.
Configuring Actuators is straightforward. You can enable or disable endpoints as needed, and you can also create custom endpoints to provide additional information about your application. You can also integrate Actuators with other tools, such as monitoring and logging tools, to provide a more comprehensive view of your application’s performance.
Using Actuators in Your Application
To use Actuators in your Spring Boot application, you simply need to add the Actuator dependency to your project. Once you have done this, you can access the Actuator endpoints through a web browser or command-line tools. You can also customize the behavior of Actuators by configuring properties in your application.properties file.
Benefits of Using Actuators
Actuators provide a wide range of benefits to developers and organizations. They make it easy to monitor and manage your application, and they provide real-time data about the health and performance of your application. Actuators are also easy to configure and use, and they can be integrated with other tools to provide a more comprehensive view of your application’s performance.
Certainly, Actuators can provide a lot of benefits to developers and organizations. Here are some of the key benefits of using Actuators in your Spring Boot application:
- Easily monitor application health: Actuators can provide information about the health of your application, including the status of the application and its dependencies.
- Efficient troubleshooting: With information from Actuators, developers can quickly identify and troubleshoot issues in their application.
- Performance monitoring: Actuators can provide information about the performance of your application, including metrics such as request processing time and memory usage.
- Efficient application management: Actuators can be used to manage your application efficiently, including shutting down the application gracefully.
- Easy to configure: Configuring Actuators is straightforward, and developers can easily enable or disable endpoints as needed.
- Flexible endpoints: Actuators come with a variety of endpoints that can be used to monitor and manage your application, including /health, /info, /metrics, and /beans.
- Custom endpoints: Developers can create custom endpoints to provide additional information about their application.
- Command-line access: Developers can access Actuators through command-line tools, making it easy to monitor and manage applications from the terminal.
- Web-based access: Actuators can be accessed through a web browser, providing an easy-to-use interface for monitoring and managing applications.
- Integration with other tools: Actuators can be integrated with other tools, such as monitoring and logging tools, to provide a more comprehensive view of application performance.
- Real-time data: Actuators provide real-time data about the health and performance of your application, allowing developers to quickly identify and respond to issues.
- Easy to deploy: Actuators can be deployed alongside your application with minimal configuration.
- Open source: Actuators are open source and part of the Spring Boot framework, making them accessible to developers and organizations of all sizes.
- Active community: The Spring Boot community is active and provides support for Actuators, ensuring that developers can easily find solutions to any issues they encounter.
- Cost-effective: Actuators are a cost-effective way to monitor and manage your Spring Boot application, reducing the need for expensive monitoring and management tools.
Lets get deep into actuators as theses are the root cause of all the problems.
So, spring boot includes a number of additional features which can be helpful to as to monitor and manage application.
<DEPENDENCIES> <DEPENDENCY> <GROUPID>ORG.SPRINGFRAMEWORK.BOOT</GROUPID> <ARTIFACTID>SPRING-BOOT-STARTER-ACTUATOR</ARTIFACTID> </DEPENDENCY> </DEPENDENCIES>
Actuators are also so-called endpoints and it has inbuilt endpoints and we can also add our endpoints .
We can enable or disable each individual endpoint and can expose them over HTTP JMX.
And to make them available, we to enable them and also expose them at the same time.
The following technology-agnostic endpoints are available:
Here’s a list of all the Spring Boot Actuator endpoints:
|/actuator||This endpoint provides a list of all available endpoints and their status.|
|/health||This endpoint provides information about the health of the application, including its status and any details about any health checks that have been performed.|
|/info||This endpoint provides general information about the application, such as its name, version, and description.|
|/metrics||This endpoint provides detailed information about various metrics related to the application’s performance, such as the number of requests processed, the amount of memory used, and the response time.|
|/sessions||This endpoint provides information about active user sessions in the application.|
|/mappings||This endpoint provides a list of all the endpoints and their mappings for the application.|
|/auditevents||This endpoint provides a list of all the audit events that have been generated by the application.|
|/threaddump||This endpoint provides a thread dump of the application, including details about all running threads.|
|/httptrace||This endpoint provides detailed information about HTTP requests and responses processed by the application.|
|/scheduledtasks||This endpoint provides a list of all scheduled tasks currently running in the application.|
|/env||This endpoint provides information about the application’s environment variables.|
|/beans||This endpoint provides a list of all the beans that are currently in the application context.|
|/conditions||This endpoint provides information about the conditions that determine if certain beans are created or not.|
|/configprops||This endpoint provides a list of all the configuration properties that are currently configured in the application.|
These endpoints can be customized and configured according to the specific needs of the application.
If your application is a web application (Spring MVC, Spring Web Flux, or Jersey), you can use the following additional endpoints:
|heapdump||Returns a heap dump file. On a HotSpot JVM, an HPROF-format file is returned. On an OpenJ9 JVM, a PHD-format file is returned.|
|logfile||Returns the contents of the logfile (if the logging.file.name or the logging.file.path property has been set). Supports the use of the HTTP Range header to retrieve part of the log file’s content.|
|Prometheus||Exposes metrics in a format that can be scraped by a Prometheus server. Requires a dependency on micrometer-registry-prometheus.|
When we include the spring-boot-starter-actuator, then all endpoints expect /shutdown are enabled by default.
Additionally, starting with Spring Boot 2.0, we need to include the web starter if we want our endpoints exposed via HTTP:
<DEPENDENCY> <GROUPID>ORG.SPRINGFRAMEWORK.BOOT</GROUPID> <ARTIFACTID>SPRING-BOOT-STARTER-WEB</ARTIFACTID> <VERSION>2.5.1</VERSION> </DEPENDENCY>
We have to understand that the /health and /info are enabled and exposed, and all other endpoints are enabled, not exposed .
ENABLING SHUTDOWN MANAGEMENT.ENDPOINT.SHUTDOWN.ENABLED=TRUE
So as this feature is sensitive /shutdown is disabled by default but we can enable it .
To shut down after we can run the query like :- curl -X POST https://localhost or Ip:8080/actuator/shutdown
And then it will shut down the application.
Note:- In Next blog there is a great need of Burp suite , So in case you are not familiar with Burpsuite then there’s great Burp suite Pentesting Series.
Further,Reference Detailed Reference Here.
If you enjoyed this blog post , share it with your friends and colleagues! In Next Blog we will discuss Pentesting and Vulnerable Lab Setup !!!!