Spring Boot Penetration Testing: Spring4Shell, Log4Shell, Actuator & Java Enterprise Security

Spring Boot is the dominant Java enterprise framework, but its recent history is marked by the decade's most publicized vulnerabilities: Log4Shell (CVE-2021-44228) and Spring4Shell (CVE-2022-22965). Beyond these major incidents, Spring Boot applications regularly expose unsecured Actuator endpoints that leak secrets or enable direct RCE. Matproof Sentinel runs targeted Spring Boot pentests with proof-of-exploit and audit-ready DORA / NIS2 / ISO 27001 reports.

Start free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why Spring Boot requires exceptional pentest attention

Spring Boot has dominated Java enterprise backend development since 2015. This massive popularity made every Spring vulnerability a global security event. Log4Shell (CVE-2021-44228, December 2021, CVSS 10.0) affected literally hundreds of millions of exposed Java servers; three years after its discovery, Cisco Talos reports that 31% of Java servers scanned in 2024 remain vulnerable. Spring4Shell (CVE-2022-22965, March 2022, CVSS 9.8) exploits a flaw in Spring Framework enabling remote RCE via class attribute manipulation. Beyond major CVEs, Spring Boot deployments frequently expose Actuator endpoints in production without authentication — /actuator/heapdump enables dumping the entire JVM memory (including secrets), /actuator/env reveals environment variables, /actuator/jolokia enables execution of arbitrary JMX methods.

CVE-2021-44228 (Log4Shell, CVSS 10.0): RCE via JNDI injection in Log4j 2.x — virtually all unpatched Spring Boot applications; 31% of Java servers scanned in 2024 remain vulnerable (Cisco Talos).
CVE-2022-22965 (Spring4Shell, CVSS 9.8): RCE via class attribute manipulation in Spring Framework < 5.3.18 / < 5.2.20 — discovered March 2022, public exploit available.
CVE-2023-20861 (SpEL DoS, CVSS 5.3): denial of service via malformed SpEL expressions in Spring Expression — affects Spring 5.2.x to 5.3.25 / 6.0.x to 6.0.6.
CVE-2024-22243 (UriComponentsBuilder, CVSS 8.1): SSRF via incorrect URI handling in Spring Framework's UriComponentsBuilder — used in most Spring HTTP clients.
Exposed Actuator endpoints: /actuator/heapdump (JVM memory dump including secrets), /actuator/env (environment variables), /actuator/jolokia (arbitrary JMX execution) — Veracode reports 18% of Spring Boot applications scanned in 2024 expose Actuator without authentication.
Native Java deserialization: ObjectInputStream, XStream, Jackson polymorphic typing — classic exploitation chain to RCE via ysoserial gadgets (CommonsCollections, Spring1, etc.).
Spring Security misconfigurations: bypassable authorization rules, CSRF disabled in production (common anti-pattern for REST APIs), session fixation, JWT signed with « none » algorithm.

What we specifically test in a Spring Boot application

Active Log4Shell detection: JNDI injection tests on all user fields (HTTP headers, URL parameters, JSON request bodies); detection of vulnerable Log4j versions (1.x EOL and 2.x < 2.17.1) via JAR fingerprinting.
Spring4Shell exploitability: POST with class.module.classLoader.* payload to trigger RCE; detection of Spring Framework versions < 5.3.18 / < 5.2.20.
Actuator endpoints: enumeration of exposed endpoints (/actuator/*), authentication verification, /heapdump exploitation for secret extraction, /env for configuration disclosure, /jolokia for arbitrary JMX method execution.
Spring Expression Language (SpEL) injection: tests in all fields where SpEL could be evaluated (Spring Boot Actuator, @Value expressions exposed to user, Spring Data Repository @Query with SpEL).
Java deserialization: identification of endpoints accepting serialized objects (native Java, XStream, Jackson @JsonTypeInfo); tests with ysoserial gadgets for exploitation demonstration.
Spring Security configuration: SecurityFilterChain audit for rules allowing authentication bypass, CSRF status, JWT configuration (algorithm, validation, expiration), CORS misconfigurations.
Mass assignment via Spring MVC binding: exposure of internal fields via @ModelAttribute, manipulation of DTO objects to escalate privileges (role/isAdmin/userId change via non-restrictive binding).
Spring Data SQL injection: @Query usage with parameter concatenation, NativeQuery without parameterization, JPQL injection via dynamic Specification.
Exposure of sensitive files: application.properties / application.yml exposed via /actuator/configprops or /actuator/env, plaintext secrets in configurations.
JVM-level vulnerabilities: tests of EOL Java versions (Java 8 < 8u391, Java 11 < 11.0.21, Java 17 < 17.0.9) with exploitable JDK CVEs; JVM configuration exposing risks (RMI enabled, JMX without authentication).

Sample finding

Critical

Actuator /heapdump endpoint exposed without authentication — JVM secrets extraction

The Spring Boot application exposes /actuator/heapdump without authentication or IP restriction. An attacker can download a full JVM heap dump (typically 500 MB to 4 GB) containing the entire application memory state. Our test enabled extraction of: (1) plaintext passwords present in memory after user authentication; (2) Stripe and AWS API keys stored in Spring Environment variables; (3) active JWT tokens of ongoing sessions; (4) DB pool connections with credentials. Exploitation is trivial: curl -O https://target.example.com/actuator/heapdump then analysis with Eclipse MAT or jhat. Exposure window was 8 months (per archived nginx logs).

Fix: Immediate action (priority 1): disable /actuator/heapdump in production via management.endpoint.heapdump.enabled=false. Complete action: restrict all Actuator endpoints via Spring Security with Basic or OAuth2 authentication; limit exposure to a separate management port (management.server.port=8081) accessible only from the internal network; expose only strictly necessary endpoints (typically /health with management.endpoints.web.exposure.include=health); audit all other endpoints (/env, /configprops, /beans, /mappings, /metrics) that may leak sensitive information. Immediate rotation of all secrets / tokens that could have been compromised during the exposure period.

Reference: CVE-2023-20873 (Spring Boot Actuator) · CWE-200 (Exposure of Sensitive Information) · OWASP A05:2021 (Security Misconfiguration) · Spring Boot Security Guide 3.x · Veracode State of Software Security 2024

Spring Boot pentest options compared

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Spring Boot pentest packages

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about Spring Boot pentest

How do you know if we're still vulnerable to Log4Shell three years after disclosure?

We actively test with JNDI payloads in all fields likely to be logged (User-Agent, X-Forwarded-For, authentication parameters, JSON body). We also identify via JAR fingerprinting the Log4j versions present in the classpath, including in transitive dependencies. According to Cisco Talos, 31% of Java servers in 2024 remain vulnerable — the long tail is due to legacy applications with frozen Java 8 dependencies, air-gapped environments, and embedded Tomcat / WebLogic servers with Log4j 1.x EOL.

What's the difference between an automated Spring scan and a manual pentest?

The automated scan (Matproof Sentinel Single Run, €149) detects known CVEs (Log4Shell, Spring4Shell, CVE-2023-20861, etc.), exposed Actuator endpoints, obvious Spring Security misconfigurations, and standard OWASP Top 10 vulnerabilities. The manual pentest (Growth plan) adds hunting for custom deserialization gadgets, deep analysis of complex SecurityFilterChain rules, SpEL injection in non-trivial contexts, and analysis of multi-step chains specific to your business logic. For DORA Art. 24 banks or BaFin BAIT systems, manual pentest remains recommended.

Can you test our Actuator endpoints with authentication (basic auth, OAuth2)?

Yes, in Starter and Growth plans we test Actuator endpoints with provided test credentials. We verify credential rotation, the strength of secrets used, exposure of sensitive endpoints even behind authentication (an authenticated attacker could still exfiltrate a heapdump), and privilege escalations via /actuator/loggers (log level modification) or /actuator/restart.

Our application uses WebFlux (Spring reactive) instead of Spring MVC. Do tests apply?

Yes. Spring WebFlux has its own set of vulnerabilities to test: WebFilter misconfigurations (reactive equivalent of MVC Filters), backpressure exploitation for DoS, different CORS configurations between WebFlux and MVC (source of bugs), and SecurityWebFilterChain (reactive) instead of SecurityFilterChain (servlet). We adapt our tests to your reactive stack with particular attention to Reactor operators likely to block the scheduler.

What other Java frameworks do you test besides Spring Boot?

Our coverage includes all popular Java backend frameworks: Spring Boot (3.x, 2.x), Quarkus, Micronaut, Jakarta EE (formerly Java EE) on Wildfly / Payara / OpenLiberty, Helidon, Vert.x, Play Framework, Dropwizard. Vulnerability classes are largely common (deserialization, configuration management endpoints, Log4j dependencies), with framework-specific specifics addressed in our tests.

How do you integrate Matproof Sentinel into our Maven / Gradle pipeline?

Starter or Growth plan: we provide a Maven plugin (matproof-sentinel-maven-plugin) and a Gradle task (matproof-sentinel-gradle-plugin) that hook into the verify or check phases. On each build PR, a fast scan (15 min) targets the changes; a full weekly scan on the main/release branch. Critical/High findings can block the build via a configurable threshold.

Is the Matproof Sentinel pentest accepted by DORA / BaFin BAIT auditors for Spring Boot compliance?

Yes. Our report produces an explicit mapping to DORA Art. 24 (regular pentest), DORA Art. 25 (vulnerability management), and BaFin BAIT §6.3 (application tests). For BAIT banks, we include specific Spring Boot audit evidence (versions, tested CVEs, audited Actuator endpoints). For DORA Art. 26 TLPT, Matproof Sentinel doesn't replace an ECB-accredited red-team test but can complement it for continuous coverage between triennial TLPT tests.

How long does a complete Spring Boot pentest take?

The complete automated scan (covering Log4Shell, Spring4Shell, Actuator, SpEL injection, deserialization, Spring Security misconfigurations, and OWASP Top 10) takes about 90 minutes for a typical Spring Boot application with 50-100 endpoints. For microservice applications (10+ Spring services), we parallelize the scans with a total duration of 3-4 hours. The audit-ready DORA / NIS2 / ISO 27001 report is delivered within 24 hours.

Go deeper — related blog articles

Protect your Spring Boot application now

First scan in 3 minutes, complete Spring Boot pentest in 90 minutes including Log4Shell, Spring4Shell, and Actuator audit. Audit-ready DORA / NIS2 / ISO 27001 report from €149.