界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
Spring Boot Misconfiguration: Actuator Endpoint Security Disabled
Abstract
Spring Boot 應用程式使用無需驗證的 Actuator 端點。
Explanation
Spring Boot 應用程式可設定為部署 Actuator,這些是讓使用者能夠監控應用程式不同方面的 REST 端點。存在會暴露敏感資料的不同內建 Actuator,且標示為「敏感」。根據預設,所有敏感 HTTP 端點均受保護,以便只有具有
此應用程式將要停用敏感端點的驗證要求:
範例 1:
或將敏感端點標記為非敏感:
範例 2:
或將自訂 Actuator 設為非敏感:
ACTUATOR 角色的使用者才能存取。此應用程式將要停用敏感端點的驗證要求:
範例 1:
management.security.enabled=false
或將敏感端點標記為非敏感:
範例 2:
endpoints.health.sensitive=false
或將自訂 Actuator 設為非敏感:
@Component
public class CustomEndpoint implements Endpoint<List<String>> {
public String getId() {
return "customEndpoint";
}
public boolean isEnabled() {
return true;
}
public boolean isSensitive() {
return false;
}
public List<String> invoke() {
// Custom logic to build the output
...
}
}
References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.spring_boot_misconfiguration_actuator_endpoint_security_disabled