Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

With its focus on developer-friendly tools and configurations, Spring Boot accelerates the development process. However, the dev tools within SpringBoot provide an interesting attack surface.

The Spring Boot Actuator has a set of built in HTTP endpoints that allows a developer to easily monitor and manage an application. Using the /actuator/env endpoint, environmental variables of the application can be set.

By using the previous functionality of setting ENV variables, you can set the spring.datasource.hikari.connection-test-query to run arbitrary queries once this functionality is triggered. In the worst case, this can be used to run Java in the H2 Database Engine. In the best case, arbitrary queries can be executed.

When using Springboot in production, do not expose these development endpoints on production. This can lead to major compromise.