1. Springboot unauthorized vulnerability description
Actuator is a functional module provided by Springboot for introspection and monitoring of the application system. With the help of Actuator developers can easily view and count certain monitoring indicators of the application system.
The core of Actuator is the endpoint Endpoint, which is used to monitor applications and interactions. There are many Endpoints (health, info, beans, metrics, httptrace, shutdown, etc.) built into spring-boot-actuator, and it also allows us to Extend your own Endpoints. Each Endpoint can be enabled and disabled. To access the Endpoint remotely, it must also be exposed through JMX or HTTP, and most applications choose HTTP.
While Actuator brings convenience, if it is not managed properly, it will lead to some sensitive information leakage; it may cause our server to be exposed to the external network, and the server may fall. Then let's take a look, what security issues will arise?
2. What is the springboot unauthorized vulnerability?
Unauthorized access vulnerabilities can be understood as addresses that require security configuration or authorization authentication, and defects in the authorization page that allow other users to directly access, resulting in the leakage of sensitive information such as important permissions that can be operated, databases or website directories.
3. Prohibition method
Add configuration in llsydn-dev.properties as follows
management.endpoints.web.exposure.exclude=env,heapdump,threaddump,mappings
copy code
so that env is forbidden to access