Exposed Spring Boot Actuator endpoints
Spring Boot Actuator provides built-in endpoints to monitor your application state. If these endpoints are left publicly accessible without authentication, they leak sensitive infrastructure details. The most critical actuator endpoints we target during audits include:
- /actuator/env: Exposes system environment variables, which often contain database passwords, JWT signing keys, and third-party API credentials.
- /actuator/heapdump: Triggers a full JVM heap dump. We download this file and extract active database connections, user session objects, and plain text credentials from memory.
- /actuator/mappings: Exposes all registered route mappings, revealing the structure of your internal API.
The Fix: Restrict actuator access to internal networks or require authentication in your Spring Security configuration:
// SECURE Spring Security configuration
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/**").hasRole("ADMIN") // Require admin role
.anyRequest().authenticated()
);
return http.build();
} Auditing Spring Security antMatchers and requestMatchers
Spring Security filters incoming requests using a chain of matchers. A common configuration flaw is using overly permissive wildcard matching or mapping paths incorrectly, allowing attackers to bypass authentication filters:
// VULNERABLE configuration matching
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/public/**").permitAll()
// Bypass: /api/private/../public/data may resolve past filter checks
.anyRequest().authenticated()
); The Fix: Always use explicit paths and avoid path traversal bypasses by enforcing strict routing rules and normalizing request paths before security filters are evaluated.
Spring Expression Language (SpEL) Injection
SpEL is used to evaluate expressions dynamically. If your application evaluates user-supplied input inside a SpEL parser (such as in custom validation annotations or template resolvers), attackers can inject malicious payloads to execute arbitrary system code:
// VULNERABLE SpEL evaluation
ExpressionParser parser = new SpelExpressionParser();
// Attacker sends system execution command inside parameter
Expression exp = parser.parseExpression(userInput);
String value = exp.getValue(context, String.class); The Fix: Avoid parsing dynamic SpEL expressions from user-controlled parameters. If evaluation is necessary, use a `SimpleEvaluationContext` to restrict expression features and block access to system classes.
Database access validation (JPA & Hibernate)
We audit JPA repositories and custom Hibernate queries for SQL injection. Using JPQL/HQL concatenations is just as dangerous as raw SQL string formatting. We verify that all custom queries utilize positional or named parameters (e.g., :username) to bind inputs securely.
Actuator env leak leading to database access
During an audit of a microfinance bank app, we accessed the unauthenticated endpoint /actuator/env. The environment output contained the plain text password for the production PostgreSQL database. We accessed the database via an adjacent port exposure and dumped the customer accounts table. Fix priority: critical. Remediated by requiring authenticated roles for all Actuator routes.
Running enterprise Java backends on Spring Boot? Secure your architecture.
Book a Spring Boot PentestFrequently asked questions
Why is Spring Boot Actuator a critical security risk?
Spring Boot Actuator exposes monitoring endpoints like `/actuator/env` and `/actuator/heapdump`. If left public, attackers can extract database credentials, API keys, and memory dumps containing active sessions.
How do you bypass Spring Security configurations during an audit?
We audit Spring Security configuration classes to identify bypasses, such as incorrect wildcard mapping (e.g., `antMatchers('/api/**').permitAll()`) or misconfigured request matchers.
What is SpEL injection in Spring Boot?
Spring Expression Language (SpEL) injection occurs when untrusted user input is evaluated dynamically inside a SpEL expression. This allows attackers to run arbitrary system commands (RCE).
Related reading
Blog: Flask API security · Django API security · API data leaks
Services: Penetration testing · Secure architecture review