界: Security Features
软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。
Spring Boot Misconfiguration: Shutdown Actuator Endpoint Enabled
Abstract
Spring Boot Shutdown Actuator 已启用,可能允许用户关闭应用程序。
Explanation
Shutdown Actuator 允许通过身份验证的用户关闭应用程序。即使默认配置为敏感端点,因此需要身份验证才能使用此端点,由于凭据可能较弱,在没有充分理由的情况下启用绝不是一个好习惯;或者,可以修改应用程序配置,将 Actuator 标记为非敏感。
示例 1:配置 Spring Boot 应用程序部署 Shutdown Actuator:
示例 1:配置 Spring Boot 应用程序部署 Shutdown Actuator:
endpoints.shutdown.enabled=true
References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.spring_boot_misconfiguration_shutdown_actuator_endpoint_enabled