hunt-springboot

Solid

Hunt Spring Boot specific vulnerabilities — Actuator endpoints (heapdump, env, loggers, mappings, shutdown), Spring Expression Language (SpEL) injection → RCE, H2 console RCE, Jolokia JMX exposure, Spring4Shell (CVE-2022-22965), Spring Cloud Function SPEL (CVE-2022-22963), heap dump credential extraction. Use when target runs Spring Boot — detected via X-Application-Context header, /actuator, Whitelabel Error Page, or Java stack traces.

Testing & QA 1,912 stars 279 forks Updated 3 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# HUNT-SPRINGBOOT — Spring Boot Specific Vulnerabilities ## Crown Jewel Targets Spring Boot Actuator `/actuator/heapdump` exposed = heap dump with all secrets in memory. **Highest-value findings:** - **`/actuator/heapdump`** — full JVM heap dump contains plaintext passwords, tokens, DB credentials, private keys stored anywhere in memory - **`/actuator/env`** — lists all environment variables and Spring properties including secrets - **`/actuator/shutdown`** — POST → shuts down the application (Critical availability impact) - **H2 Console (`/h2-console`)** — in-memory DB admin UI → SQL query execution → potential RCE via `CREATE ALIAS` trick - **SpEL injection** — Spring Expression Language in template fields, `@Value` annotations, SpEL-processed request params → RCE - **Spring4Shell CVE-2022-22965** — Spring Framework < 5.3.18 + Tomcat → RCE via data binding --- ## Phase 1 — Fingerprint Spring Boot ```bash # Spring Boot indicators curl -sI https://$TARGET/ | grep -i "x-application-context\|x-content-type" curl -s "https://$TARGET/nonexistent" | grep -i "Whitelabel Error Page\|Spring Boot\|org.springframework" # Actuator root (may list available endpoints) curl -s "https://$TARGET/actuator" | python3 -m json.tool 2>/dev/null curl -s "https://$TARGET/actuator/" | python3 -m json.tool 2>/dev/null # Try common base paths for base in "" "/manage" "/management" "/app"; do STATUS=$(curl -s -o /dev/null -w "%{http_code}" "https://$TARGET$base/actuator") [ "$STATUS" = "200...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
1 months ago
Last Updated
3 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Spring · Backend

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

hunt-nodejs

Hunt Node.js specific vulnerabilities — Prototype Pollution → RCE chains (lodash/merge/assign), Express trust proxy misconfiguration, child_process/eval injection, template engine SSTI (EJS/Pug/Handlebars), path traversal in file servers, require() injection, environment variable exfil via /proc/self/environ. Use when target runs Node.js/Express/Fastify/NestJS/Koa.

1,912 Updated 3 days ago
elementalsouls
Web & Frontend Solid

hunt-nextjs

Hunt Next.js specific vulnerabilities — Server Actions arbitrary function execution, Middleware auth bypass via static asset paths, ISR cache poisoning, Image Optimization SSRF (/_next/image), RSC payload leakage, getServerSideProps injection, source map exposure, debug endpoint leakage. Use when target runs Next.js 13/14/15 or any React SSR framework.

1,912 Updated 3 days ago
elementalsouls
AI & Automation Solid

hunt-laravel

Hunt Laravel specific vulnerabilities — Debug mode leakage (APP_DEBUG=true exposes full stack trace + env vars), Laravel Telescope/Horizon dashboard unauthorized access, Ignition RCE (CVE-2021-3129), Signed URL manipulation, Queue Worker abuse, mass assignment via Eloquent, deserialization via cookies, .env file exposure. Use when target runs Laravel (PHP) — detected via X-Powered-By, Laravel session cookies, or /storage/ paths.

1,912 Updated 3 days ago
elementalsouls