Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Spring Boot Misconfiguration: Shutdown Actuator Endpoint Enabled
Abstract
Spring Boot Shutdown Actuator is enabled and may allow users to shut down the application.
Explanation
The Shutdown Actuator allows authenticated users to shut down the application. Even though it is configured by default as a sensitive endpoint and therefore authentication is required to use this endpoint, it is not a good practice to enable it without a strong reason since credentials may be weak or the application configuration can be modified to flag the actuator as non-sensitive.
Example 1: A Spring Boot application is configured to deploy the shutdown Actuator:
Example 1: A Spring Boot application is configured to deploy the shutdown Actuator:
endpoints.shutdown.enabled=true
References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.spring_boot_misconfiguration_shutdown_actuator_endpoint_enabled