界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
Spring Boot Misconfiguration: Shutdown Actuator Endpoint Enabled
Abstract
Spring Boot Shutdown Actuator 已啟用,可讓使用者關閉應用程式。
Explanation
Shutdown Actuator 可讓已驗證的使用者關閉應用程式。即使預設設定為敏感端點並因此需要驗證才能使用此端點,也最好不要在沒有充足理由的情況下啟用,因為憑證可能較弱或應用程式組態會修改為將 Actuator 標記為非敏感。
範例 1:Spring Boot 應用程式已設定為部署 shutdown Actuator:
範例 1:Spring Boot 應用程式已設定為部署 shutdown Actuator:
endpoints.shutdown.enabled=true
References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.spring_boot_misconfiguration_shutdown_actuator_endpoint_enabled