Exposed Spring Boot Actuator endpoints

Spring Boot Actuator provides built-in endpoints to monitor your application state. If these endpoints are left publicly accessible without authentication, they leak sensitive infrastructure details. The most critical actuator endpoints we target during audits include:

The Fix: Restrict actuator access to internal networks or require authentication in your Spring Security configuration:

// SECURE Spring Security configuration
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(auth -> auth
        .requestMatchers("/actuator/**").hasRole("ADMIN") // Require admin role
        .anyRequest().authenticated()
    );
    return http.build();
}

Auditing Spring Security antMatchers and requestMatchers

Spring Security filters incoming requests using a chain of matchers. A common configuration flaw is using overly permissive wildcard matching or mapping paths incorrectly, allowing attackers to bypass authentication filters:

// VULNERABLE configuration matching
http.authorizeHttpRequests(auth -> auth
    .requestMatchers("/api/public/**").permitAll()
    // Bypass: /api/private/../public/data may resolve past filter checks
    .anyRequest().authenticated()
);

The Fix: Always use explicit paths and avoid path traversal bypasses by enforcing strict routing rules and normalizing request paths before security filters are evaluated.

Spring Expression Language (SpEL) Injection

SpEL is used to evaluate expressions dynamically. If your application evaluates user-supplied input inside a SpEL parser (such as in custom validation annotations or template resolvers), attackers can inject malicious payloads to execute arbitrary system code:

// VULNERABLE SpEL evaluation
ExpressionParser parser = new SpelExpressionParser();
// Attacker sends system execution command inside parameter
Expression exp = parser.parseExpression(userInput);
String value = exp.getValue(context, String.class);

The Fix: Avoid parsing dynamic SpEL expressions from user-controlled parameters. If evaluation is necessary, use a `SimpleEvaluationContext` to restrict expression features and block access to system classes.

Database access validation (JPA & Hibernate)

We audit JPA repositories and custom Hibernate queries for SQL injection. Using JPQL/HQL concatenations is just as dangerous as raw SQL string formatting. We verify that all custom queries utilize positional or named parameters (e.g., :username) to bind inputs securely.

Example finding

Actuator env leak leading to database access

During an audit of a microfinance bank app, we accessed the unauthenticated endpoint /actuator/env. The environment output contained the plain text password for the production PostgreSQL database. We accessed the database via an adjacent port exposure and dumped the customer accounts table. Fix priority: critical. Remediated by requiring authenticated roles for all Actuator routes.

Running enterprise Java backends on Spring Boot? Secure your architecture.

Book a Spring Boot Pentest

Frequently asked questions

Why is Spring Boot Actuator a critical security risk?

Spring Boot Actuator exposes monitoring endpoints like `/actuator/env` and `/actuator/heapdump`. If left public, attackers can extract database credentials, API keys, and memory dumps containing active sessions.

How do you bypass Spring Security configurations during an audit?

We audit Spring Security configuration classes to identify bypasses, such as incorrect wildcard mapping (e.g., `antMatchers('/api/**').permitAll()`) or misconfigured request matchers.

What is SpEL injection in Spring Boot?

Spring Expression Language (SpEL) injection occurs when untrusted user input is evaluated dynamically inside a SpEL expression. This allows attackers to run arbitrary system commands (RCE).

Related reading

Blog: Flask API security · Django API security · API data leaks

Services: Penetration testing · Secure architecture review