Find Spring Boot servers with Shodan

hopyjolehopyjole Member Posts: 8
in Advanced Bug Bounty Hunting

By @sw33tLie

Source: link

Search for the following favicon hash in Shodan to find Spring Boot servers deployed in the target organization:

org:YOUR_TARGET http.favicon.hash:116323821

Then check for exposed actuators. If /env is available, you can probably achieve RCE. If /heapdump is accessible, you may find private keys and tokens.

In case you are unfamiliar with Spring Boot technology, do not worry. Here’s a quick 101.

Spring Boot is an open source Java-based framework used to build stand-alone spring applications based on the concepts of micro services.

Spring Boot Actuator is a mechanism of interacting with them using a web interface. They are typically mapped to URL such as:

Here’s an example of exposed /env actuator:

Bug bounty tips - Exposed env Spring Boot actuator

Pro tip: Check for all these default built-in actuators. Some of them may be exposed and contain interesting information.

Sign In or Register to comment.