Endpoint Exposure Analyzer
Configuration Name: EndpointExposure
The Endpoint Exposure Analyzer detects unintended management, diagnostic, and debug endpoints in popular application frameworks, helping teams secure sensitive paths before deployment.
Framework Coverage
- Spring Boot
- Jakarta
- Quarkus
- Micronaut
- Flask
- Werkzeug
- Django
- Express
- ASP .NET Core
- Ruby on Rails
- Laravel
- Symfony
How It Works
-
URL Construction
Builds target URLs by combining the application’s base address with each framework’s common endpoint paths. -
Request Strategy
ExecutesGETrequests both with and without available authorization credentials. -
Detection & Reporting
Flags any endpoint where the request returns a successful response, indicating potential exposure.
By automating these checks, the analyzer empowers developers to lock down or remove vulnerable endpoints well before they reach production.
Default Endpoint Exposure Checks
| Category / Framework | Example Paths | Security Risk / Reason | Recommended Remediation |
|---|---|---|---|
| Debug Console | /console, /jmx-console, /admin-console |
Exposes debug or admin consoles for frameworks like Jakarta EE (WildFly, Payara, TomEE) or Werkzeug, potentially allowing full control over deployments, datasources, security realms, or remote JMX invocation. | Bind management interfaces to localhost or a secured network. Enforce strong authentication and authorization. Disable unused admin endpoints. |
| Spring Boot Actuator | /actuator/beans, /actuator/env, /actuator/heapdump, /actuator/loggers, /actuator/metrics, /actuator/prometheus, /actuator/shutdown, /actuator/threaddump, /actuator/info |
Leaks configuration, environment details, bean definitions, metrics, thread and heap dumps. Some endpoints can be abused for shutdown or reconnaissance. | Expose only required endpoints via management.endpoints.web.exposure.include. Secure with Spring Security and role-based access. Bind to localhost or internal networks. Disable sensitive endpoints in production. |
| Admin (Generic) | /admin |
Exposes administrative interfaces common in Express, Flask, and Django applications. | Restrict access to known IP ranges or protect behind strong authentication. |
| Metrics | /metrics |
Leaks internal health state or application load in frameworks such as Micronaut, Dropwizard, ASP.NET Core, and Express. | Restrict access to internal networks or require authentication. |
| Health | /health |
Reveals internal service health and availability details in Micronaut, ASP.NET Core, NestJS, and similar frameworks. | Limit exposure to internal systems only. |
| API Documentation | /swagger, /swagger-ui, /openapi.json, /api-docs, /docs, /redoc |
Publicly exposes the entire API surface, schemas, and security schemes, enabling attackers to map all operations and payloads. | Disable documentation endpoints in production. If required, protect them with strong authentication and authorization. |
| Micronaut | /info, /loggers, /beans, /routes, /env |
Leaks configuration, environment variables, application version, bean names, logger settings, and routing information. | Expose only necessary endpoints. Require authentication and restrict network access. |
| Quarkus | /q/health, /q/metrics, /q/logging, /q/openapi, /q/jfr |
Exposes runtime and JVM profiling data. Allows dynamic log-level changes and full API schema disclosure. | Disable OpenAPI UI in production. Protect logging endpoints and restrict health and metrics to internal networks. |
| Dropwizard | /healthcheck, /threads, /ping, /tasks, /jmx |
JVM metrics and thread dumps reveal resource usage. Tasks and JMX can expose unintended execution paths or MBean operations. | Bind admin ports to localhost or VPN. Disable unnecessary servlets such as JMX and tasks. |
| Jakarta EE (WildFly, Payara, TomEE) | /management |
Provides full administrative control over deployments, datasources, and security realms. | Bind management interfaces to secure networks. Enforce strong authentication and disable unused endpoints. |
| ASP.NET Core | /error |
Can expose environment details or developer exception pages with stack traces. | Enable developer exception pages only in development. Restrict health and metrics endpoints. |
| Express (Node.js) | /status, /debug |
Custom debug or status routes may leak metrics, heap snapshots, or allow unintended access. | Remove development routes in production. Secure endpoints with authentication and use security headers such as Helmet. |
| NestJS | /live, /ready |
Health endpoints may leak service readiness and operational details. | Restrict to internal use only. |
| Django | /__debug__/ |
Debug toolbar reveals SQL queries, settings, and environment variables. Admin interfaces may be brute-forced. | Set DEBUG=False in production. Restrict admin access and remove debug tooling. |
| Ruby on Rails | /rails/info/routes, /rails/info/properties, /rails/consoles, /sidekiq |
Development routes expose routes and configuration. Web console can allow code execution. Sidekiq UI allows job manipulation. | Disable local request debugging. Restrict or remove Web Console. Protect Sidekiq with authentication. |
| Laravel | /telescope, /horizon, /nova |
Exposes database queries, logs, environment variables, queue controls, and full CRUD access. | Set APP_DEBUG=false. Restrict access to internal networks and protect admin tools with role-based authentication. |
| Symfony | /_profiler, /_wdt, /app_dev.php/_profiler, /app_dev.php/_wdt |
Profiler and debug toolbar leak SQL queries, routes, and environment configuration. | Deploy with APP_ENV=prod. Disable profiler and debug routes or block via firewall rules. |
| Gin pprof (Go) | /debug/pprof/, /debug/pprof/heap, /debug/pprof/goroutine |
Heap and goroutine dumps expose runtime internals and can be abused for performance degradation. | Only enable pprof in non-production. Bind to localhost on a separate port if required. |
| Revel (Go) | /@tests |
Allows runtime control such as restart or reload of the application. | Always run Revel in production mode, which removes developer control endpoints. |
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-497 | Endpoint exposes application details | An endpoint exposes sensitive application details or control of the application. | Disable debug modes and administration consoles. If such functionality is required, then bind the endpoints to localhost or a protected network, and restrict access to only administrative users. | medium |