I. Overview
Microservices are a relatively popular technology at present. Spring boot is a set of rapid configuration scaffolding of Spring, which can quickly develop a single microservice based on Spring boot. The characteristics of microservices determine the distributed deployment of functional modules, which can be mutually passed on different machines. Calls interact, and the business flow will be processed and delivered by multiple microservices.
With multiple microservices, the monitoring of microservices is particularly important. The Actuator component provides Spring Boot with integrated functions for monitoring and managing the application system, and you can view the detailed information of the application configuration, such as automatic configuration information, created Spring beans information, configuration information of system environment variables, and detailed information of Web requests, etc.
If Actuatorused improperly or inadvertently, it may cause serious security risks such as information leakage. /heapdumpAs Actuatorthe most dangerous web interface of the component, if the Actuatorconfiguration is improper, the attacker can obtain the heapdumpheap dump file without authentication, and analyze the heapdumpheap dump file to further obtain sensitive information.
ActuatorA functional module used
1. Native endpoints
2. User-defined extension endpoint
The main native endpoints are:
| HTTP method | path | describe |
|---|---|---|
| GET | /dump | Get all thread dumps of the current application. When the memory usage is too high, it can help analyze the usage of threads and help locate the problem. |
| GET | /heapdump | heap dump file |
| GET | /env | Get all environment properties |
| GET | /env/{name} | Get a specific environment property value by name |
| GET | /autoconfig | Provides an auto-configuration report that records which auto-configuration conditions pass and which fail |
| GET | /configprops | Describes how configuration properties (including default values) are injected into beans |
| GET | /beans | Describe all beans in the application context and their relationships |
| GET | /health | Reports the application's health indicators, these values are provided by the implementation class of HealthIndicator |
| GET | /info | Get custom information for the application, which is provided by attributes starting with info |
| GET | /mappings | Describe all URI paths and their mappings to controllers (including Actuatorendpoints ) |
| GET | /metrics | Reports various application metrics such as memory usage and HTTP request counts |
| GET | /metrics/{name} | Reports the application metric of the specified name |
| POST | /shutdown | Shutdown the application requires endpoints.shutdown.enabled to be set to true (default is false) |
| GET | /trace | Provides basic HTTP request tracing information (timestamps, HTTP headers, etc.) |
Build a vulnerability reproduction environment:
2. Improper configuration of Actuator
[→Follow me for all resources, and reply to "data" by private message to get ←]
1. Network security learning route
2. E-books (white hat)
3. Internal video of a big security company4,
100 src documents5
, common security interview questions6
, Analysis of the classic topics of the ctf competition
7, a full set of toolkits
8, emergency response notes
/heapdumpAs Actuatorone of the most dangerous web interfaces of the component, if the Actuatorconfiguration is improper, the attacker can obtain the heapdumpheap dump file without authentication, and analyze the heapdump heap dump file to further obtain sensitive information. where /dumpto get a snapshot of thread activity and /heapdumpto get a heap dump file.
A heap dump file is a memory snapshot of a Java process at a certain point in time. HeapDumpRecords the operation of the heap memory in the JVM, including Java objects, classes, thread stacks, and local variables.
By accessing /dumpthe path and returning a snapshot of the thread activity, you can see that there is RMI monitoring in the Springboot thread activity.
Access /dumppath, the effect is as shown in the following figure:
Returns the heap dump file tarball by accessing the/heapdump path . hprofOpening the JVisualVMheap dump file .hprofwill leak site memory information, such as the account password of the background user.
Access /heapdumppath, the effect is as shown in the following figure:
3. Identify the version
There is a version difference in the Springboot heapdump endpoint
Spring boot 1.x version, the default endpoint is /heapdump, the downloaded heapdump file contains the time and the suffix hprof.
Spring boot 2.x version, the default endpoint is /Actuator/heapdump, you need to add the .hprof suffix to the downloaded heapdump file.
4. Tool selection
There are several options for analyzing heap dump file tools
:JVisualVM JDK comes with tools for developers to monitor and troubleshoot.
Eclipse MAT: A Heap Dump analysis tool provided by Eclipse. If you use Eclipse-UI memory crash, you can use MAT script to analyze large-capacity heap dumps.
IBM Heap Analyzer: A tool for analyzing Heap Dump information from IBM, which effectively lists the memory usage of the heap and helps analyze the cause of Java memory leaks.
5. OQL query language
Because the heap dump file contains a lot of information, it takes some tools and some query skills to find exactly what we want.
Springboot OQL Object Query Language is a structured query language that treats classes as tables, objects as record rows, and member variables as fields in tables. Through OQL, you can easily and quickly query some required information and speed up the detection of required attribute values.
version difference
Spring boot 1.x version heapdump query results are stored in java.util.Hashtable$Entry instance key-value pairs:
Spring boot 2.x version heapdump query results are stored in java.util.LinkedHashMap$Entry instance key-value pairs:
Use the password keyword to retrieve, the corresponding oql query statement
Eclipse MATcorresponding query
Spring boot 1.x:select * from java.util.Hashtable$Entry s WHERE (toString(s.key).contains("password"))
Spring boot 2.x:select * from java.util.LinkedHashMap$Entry s WHERE (toString(s.key).contains("password"))
6. Specific steps
This time, the tool that comes with JDK is used JVisualVMto analyze Heap Dump, which is located in the <JDK_HOME>/bin/directory.
JDK comes with tools, as shown in the following figure:
Double-click to open the JVisualVMtool.
Its main interface, as shown below:
By JVisualVMloading heapdumpthe file, you can see some sensitive information leaks in the system properties of the summary column.
Some sensitive information is leaked, as shown in the following figure:
Switch to the OQL console tab, enter the following statement in the input box, and click Execute to query.
select s.value.toString() from java.util.Hashtable$Entry s where /password/.test(s.key.toString())
The query result, as shown in the following figure:
Switch to the class tab, enter the box below to limit the search conditions java.util.Hashtable, and click the first item in the resultjava.util.Hashtable$Entry
The query result, as shown in the following figure:
Switch different instances to observe, and find the plaintext of the background administrator password in the 411st instance.
The administrator password is in plain text, as shown in the following figure:
The MySQL database password is further seen in the Item 409 instance.
Check the MySQL database password, the effect is shown in the following figure:
In searching for passwords, you can search for keywords in combination with websites /env or /Actuator/env interfaces, and use the corresponding attribute names masked by asterisks as OQL filter conditions.
Check the occlusion attribute value, the effect is as shown in the following figure:
shiroKey
If the target website uses the Shiro security framework, enter the org.apache.shiro.web.mgt.CookieRememberMeManager search decryptionCipherKeyfield in the filter rule to obtain the key, and then rememberMedeserialize it for use.
7. Prevention and control measures
During the code white-box audit, the Springbootproject focuses on detecting Actuatordependencies, and the security dependencies and configurations are reviewed. It is recommended to add code scanners as vulnerability detection rules.
In the network security risk self-check, add /heapdump sensitive paths to the scanner dictionary.
In use Actuator, incorrect use or inadvertent negligence will cause serious security risks such as information leakage. The safe way is to introduce security dependencies, open security restrictions and authenticate. At the same time, set a separate Actuatormanagement port and configure it not to open to the external network.
Introduce security dependencies, turn on security restrictions, or disable unneeded interfaces,endpoints.env.enabled= false
