Spring

Information

Technology	Description
Spring	A framework for building Java applications.
Spring Boot	A Spring extension that simplifies the configuration of Spring apps by providing defaults and conventions to minimize the boilerplate code required.

Recon

The default error page (/error) for Spring applications are titled with the Whitelabel Error Page message (Figure 1).

Figure 1: The default error page of a Spring-based application.

Attacks

Fuzzing

We can use seclists's Spring boot-specific wordlist.

ffuf -u http://cozyhosting.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/spring-boot.txt -c -ac -ic

Actuators

Spring Boot's actuators is a set of built-in monitoring and debugging features and its endpoints should not be public facing. For instance, /actuator/sessions lists active HTTP Spring sessions. For an example of leveraging an actuator for session hijacking see Cozyhosting.

Config Files

Spring applications will load properties from the application.propertie file which is typically under the webroot (/) or the config subdirectory. This file can contain sensitive information, such as credentials and database information.

The example below is based on OffSec's WEB-200 course (Asio lab).

Spring applications will load properties fromapplication.properties files which are typically located under the webroot (/) or the config subdirectory. We can use Burp Intruder along with the default wordlist called Fuzzing - path traversal (single file) (Figure 2.2) and a Match/replace rule (Figure 2.3) to search for the application.properties file.

Figure 2: Fuzzing for the target file.

We successfully managed to read the application.properties file which contains plaintext credentials as well as an admin portal key (Figure 3).

Figure 3: Reading the applications.properties configuration file.