Kingdom: Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Spring Boot Misconfiguration: Actuator Endpoint Security Disabled

Java/JSP

Abstract

The Spring Boot application uses Actuator endpoints requiring no authentication.

Explanation

Spring Boot applications can be configured to deploy Actuators, which are REST endpoints that allow users to monitor different aspects of the application. There are different built-in Actuators which may expose sensitive data and are labeled as "sensitive". By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them.

This application is either disabling the authentication requirement for sensitive endpoints:

Example 1:


management.security.enabled=false

Or marking sensitive endpoints as non-sensitive:

Example 2:


endpoints.health.sensitive=false

Or a custom Actuator is set as non-sensitive:


@Component
public class CustomEndpoint implements Endpoint<List<String>> {

    public String getId() {
        return "customEndpoint";
    }

    public boolean isEnabled() {
        return true;
    }

    public boolean isSensitive() {
        return false;
    }

    public List<String> invoke() {
        // Custom logic to build the output
        ...
    }
}

References

[1] Spring Boot Reference Guide Spring

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[5] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.spring_boot_misconfiguration_actuator_endpoint_security_disabled