search

stanislav-web / OpenDoor

OWASP WEB Directory Scanner
http://opendoor.readthedocs.io
GNU General Public License v3.0
883 stars 186 forks source link

Add checks for Spring Boot Actuator endpoints #41

Closed gingeleski closed 3 years ago

gingeleski commented 4 years ago

Consider adding checks for Spring Boot Actuator, which if openly accessible in production can be leveraged to run trace, dump memory, manipulate environment variables, etc. [1][2][3]

Looks like patterns might be added here to directories.dat.

/actuator
/actuator/auditevents
/actuator/autoconfig
/actuator/beans
/actuator/caches
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/flyway
/actuator/health
/actuator/httptrace
/actuator/info
/actuator/integrationgraph
/actuator/loggers
/actuator/liquibase
/actuator/metrics
/actuator/mappings
/actuator/scheduledtasks
/actuator/sessions
/actuator/shutdown
/actuator/threaddump
/actuator/heapdump
/actuator/jolokia
/actuator/logfile
/actuator/prometheus
stanislav-dev commented 4 years ago

PLease create pull request

gingeleski commented 4 years ago

Done, thank you.