Spring Boot Vulnerability Checklist: Exploits, Detection Routes, and Mitigation Tips
This article presents a comprehensive GitHub collection of Spring Boot vulnerabilities, explains how to identify information‑leakage and remote‑code‑execution flaws via exposed Swagger and Actuator endpoints, and provides step‑by‑step verification commands for security testing.
Spring Boot is one of the most popular Java application frameworks, but many hidden vulnerabilities can expose applications to serious security risks.
The article introduces a GitHub project that aggregates a large set of Spring Boot vulnerabilities for research and testing purposes, emphasizing that the material should be used responsibly and not for malicious attacks.
- Spring Boot Vulnerability Exploit Check List
- Zero: Routing and Version
- 0x01: Routing Knowledge
- 0x02: Version Knowledge
- Component version dependency relationships:
- Spring Cloud and Spring Boot version dependencies:
- Meaning of Spring Cloud minor version suffixes:
- One: Information Leakage
- 0x01: Route address and interface call detail leakage
- 0x02: Misconfigured routes exposure
- 0x03: Obtain plaintext password masked with asterisks (Method 1)
- Preconditions:
- Exploitation steps:
- Step 1: Identify the target property name
- Step 2: Use Jolokia to call the relevant MBean and retrieve plaintext
- 0x04: Obtain plaintext password masked with asterisks (Method 2)
- Preconditions:
- Exploitation steps:
- Step 1: Identify the target property name
- Step 2: Use nc to listen for HTTP requests
- Step 3: Set eureka.client.serviceUrl.defaultZone property
- Step 4: Refresh configuration
- Step 5: Decode the property value
- 0x05: Obtain plaintext password masked with asterisks (Method 3)
- Preconditions:
- Exploitation steps:
- Step 1: Identify the target property name
- Step 2: Use nc to listen for HTTP requests
- Step 3: Trigger an outbound HTTP request
- Step 4: Refresh configuration
- 0x06: Obtain plaintext password masked with asterisks (Method 4)
- Preconditions:
- Exploitation steps:
- Step 1: Identify the target property name
- Step 2: Download JVM heap information
- Step 3: Use MAT to extract the plaintext password from the heap
- Two: Remote Code Execution
- 0x01: Whitelabel error page SpEL RCE
- Preconditions:
- Exploitation steps:
- Step 1: Find a normal parameter location
- Step 2: Execute a SpEL expression
- Vulnerability principle, analysis, and environment details
- 0x02: Spring Cloud SnakeYAML RCE
- Preconditions:
- Exploitation steps:
- Step 1: Host yml and jar files
- Step 2: Set spring.cloud.bootstrap.location property
- Step 3: Refresh configuration
- Vulnerability principle, analysis, and environment details
- 0x03: Eureka XStream deserialization RCE
- Preconditions:
- Exploitation steps:
- Step 1: Host a malicious XStream payload website
- Step 2: Listen for reverse shell connections
- Step 3: Set eureka.client.serviceUrl.defaultZone property
- Step 4: Refresh configuration
- Vulnerability principle, analysis, and environment details
- 0x04: Jolokia Logback JNDI RCE
- Preconditions:
- Exploitation steps:
- Step 1: Inspect existing MBeans
- Step 2: Host an XML file
- Step 3: Prepare Java code to execute
- Step 4: Set up a malicious LDAP service
- Step 5: Listen for reverse shell connections
- Step 6: Load the malicious logging configuration from an external URL
- Vulnerability principle, analysis, and environment details
- 0x05: Jolokia Realm JNDI RCE
- Preconditions:
- Exploitation steps:
- Step 1: Inspect existing MBeans
- Step 2: Prepare Java code to execute
- Step 3: Host a class file
- Step 4: Set up a malicious RMI service
- Step 5: Listen for reverse shell connections
- Step 6: Send the malicious payload
- Vulnerability principle, analysis, and environment details
- 0x06: Restart H2 database query RCE
- Preconditions:
- Exploitation steps:
- Step 1: Set spring.datasource.hikari.connection-test-query property
- Step 2: Restart the application
- Vulnerability principle, analysis, and environment details
- 0x07: H2 database console JNDI RCE
- Preconditions:
- Exploitation steps:
- Step 1: Access a route to obtain JSESSIONID
- Step 2: Prepare Java code to execute
- Step 3: Host a class file
- Step 4: Set up a malicious LDAP service
- Step 5: Listen for reverse shell connections
- Step 6: Send a request to trigger JNDI injection
- Vulnerability analysis and environment details
- 0x08: MySQL JDBC deserialization RCE
- Preconditions:
- Exploitation steps:
- Step 1: Review environment dependencies
- Step 2: Deploy a malicious rogue MySQL server
- Step 3: Set spring.datasource.url property
- Step 4: Refresh configuration
- Step 5: Trigger a database query
- Step 6: Restore the normal JDBC URL
- Vulnerability principle, analysis, and environment details
- 0x09: Restart logging.config Logback JNDI RCE
- Preconditions:
- Exploitation steps:
- Step 1: Host an XML file
- Step 2: Host a malicious LDAP service and code
- Step 3: Set logging.config property
- Step 4: Restart the application
- Vulnerability principle, analysis, and environment details
- 0x0A: Restart logging.config Groovy RCE
- Preconditions:
- Exploitation steps:
- Step 1: Host a Groovy file
- Step 2: Set logging.config property
- Step 3: Restart the application
- Vulnerability principle and environment details
- 0x0B: Restart spring.main.sources Groovy RCE
- Preconditions:
- Exploitation steps:
- Step 1: Host a Groovy file
- Step 2: Set spring.main.sources property
- Step 3: Restart the application
- Vulnerability principle and environment details
- 0x0C: Restart spring.datasource.data H2 database RCE
- Preconditions:
- Exploitation steps:
- Step 1: Host an SQL file
- Step 2: Set spring.datasource.data property
- Step 3: Restart the application
- Vulnerability principle and environment detailsDevelopers often overlook that leaking route addresses can create security risks, especially when configuration files are not updated after switching from development to production environments.
To verify the information‑leakage issue, you can directly request the following Swagger endpoints:
/v2/api-docs
/swagger-ui.htmlOther Swagger‑related routes that might be exposed include:
/swagger
/api-docs
/api.html
/swagger-ui
/swagger/codes
/api/index.html
/api/v2/api-docs
/v2/swagger.json
/swagger-ui/html
/distv2/index.html
/swagger/index.html
/sw/swagger-ui.html
/api/swagger-ui.html
/static/swagger.json
/user/swagger-ui.html
/swagger-ui/index.html
/swagger-dubbo/api-docs
/template/swagger-ui.html
/swagger/static/index.html
/dubbo-provider/distv2/index.html
/spring-security-rest/api/swagger-ui.html
/spring-security-oauth-resource/swagger-ui.htmlAdditionally, some Spring Boot Actuator endpoints may reveal interface addresses, though they typically do not expose parameter details:
/mappings
/metrics
/beans
/configprops
/actuator/metrics
/actuator/mappings
/actuator/beans
/actuator/configpropsWhile exposing these endpoints is not itself a vulnerability, a default‑secure configuration prefers to keep such information hidden.
Attackers often scrutinize exposed interfaces to gain deeper insight into the target system and to check for unauthorized access, privilege escalation, and other business‑logic flaws.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.