Find Spring Boot servers with Shodan
Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:
Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.
In case you are unfamiliar with Spring Boot technology, do not worry. Here’s a quick 101.
Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.
Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:
Here’s an example of exposed /env actuator:
Pro tip: Check for all these default built-in actuators. Some of them may be exposed and contain interesting information.