WhiteLevel Error Page / Spring Boot Actuators Hunting

Most of Hunter Forget To test It.

In the vast landscape of web applications, Spring Boot stands out as one of the most popular frameworks for building modern, scalable services. However, with great popularity comes great exposure, and misconfigurations can sometimes leave sensitive endpoints unintentionally accessible to attackers. Among these are the infamous WhiteLabel Error Page and exposed Spring Boot Actuators, which, when improperly secured, can reveal critical insights into an application’s internals

Shodan Search: Target for This Bug

Article Brief

This article delves into the art of hunting these potential misconfigurations. We’ll explore how to identify Spring Boot applications, uncover hidden error pages, and locate unprotected actuator endpoints. From basic reconnaissance to practical exploitation.

Whether you’re a bug bounty hunter, a security researcher, or a developer aiming to harden your applications, this is your blueprint to mastering Spring Boot vulnerability discovery. Let’s dive in!

What is Spring Boot Actuators?

The Spring Boot Framework includes a number of features called actuators to help you monitor and manage your web application when you push it to production. Intended to be used for auditing, health, and metrics gathering, they can also open a hidden door to your server when misconfigured.

When a Spring Boot application is running, it automatically registers several endpoints (such as ‘/health’, ‘/trace’, ‘/beans’, ‘/env’ etc.) into the routing process

Steps:

1. Frist Finding Targets We Can Use Shodan. I mention Useful dorks to grep all ips that content Spring Boot application Service

Shodan Dorks For Finding Target Assets.

ssl:target.com  http.title:"Whitelabel Error Page"
ssl:target.com http.html:"Whitelabel Error Page"
org:”Comany Name” html:"Whitelabel Error Page"
http.status:500 html:"Whitelabel Error Page"

2. Here is Curl Command That You can easily Donwload ips according to query.

curl -s "https://api.shodan.io/shodan/host/search?key=APIkey&query=target.com" | jq -r '.matches[].ip_str' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'

Here is another tool that you can use for download ips. shef tool by 1hehaq.

3. After Collecting ips. We need to add https:// each of ip first and filter. Here I use Httpx tool do this.

cat ips | httpx | tee -a target

4. Now this time to fuzz all target ips and save it a file. use dirsearch to fuzz endpoint. to gets affected endpoint use Seclist .

SecLists/Discovery/Web-Content/spring-boot.txt at master · danielmiessler/SecLists · GitHub

dirsearch -l target -w /root/wordlist/Seclist/Discovery/Web-Content/spring-boot.txt -o output

5. After Complete Fuzzing Analysis output file. Focus on juicy endpoint like : env, trace, prometheus, jolokia, threaddump, loggers, logfile,heapdump, configprops

Example Endpoint

Report All Things according company assets Ethically

🙏 My English isn’t flawless, but neither are the systems we’re hunting. Let’s learn together.

🧑‍💻 Connect With Me Linkdin & X

🌐 Subscribe to Youtube Channel 0xshuvo for intermediate to advanced content.