Pentesting checks

The Pentesting panel runs a fixed, local-only set of OWASP Top 10 2025-aligned hygiene checks against the host application. This page lists every check that ships with BootUI today, what it inspects, when it fires, and what to do about it.

Each check is a small class registered in PentestCheckRegistry and implemented in PentestChecks.java. The list intentionally stays compact and reviewable; adding a new check means adding one focused class plus a registry entry, never adding ad-hoc HTTP traffic.

What BootUI does

The scanner combines two bounded evidence sources:

  • Spring metadataEnvironment properties, classpath presence, Spring Security beans, the Spring MVC mapping inventory, and (for one check) reflection over registered SecurityFilterChain beans. No application property that BootUI itself injects (e.g. its actuator defaults) is ever read by a check.
  • Synthetic HTTP requestsexactly two localhost requests per scan against /<context-path>/__bootui_pentest__/missing-resource in the host application (never /bootui): one GET with Accept: text/html, and one OPTIONS preflight with Origin: https://evil.example and Access-Control-Request-Method: GET. The application's own response headers reveal CORS, security-header, and cookie posture. Bodies are inspected only for verbose-error markers and never persisted.

Findings are heuristic review prompts, not proof of exploitability. The panel is a developer hygiene tool, not a replacement for a real penetration test or DAST suite.

Check IDs are stable API-facing identifiers and keep their original PT-* prefixes for compatibility. A check ID's number therefore might not match the OWASP Top 10 2025 category displayed in the panel.

What BootUI does not do

  • It does not crawl or sweep application endpoints, fuzz inputs, or send SQL/XSS/command-injection payloads.
  • It does not run against /bootui itself — BootUI's own controllers are always excluded.
  • It does not perform dependency vulnerability scanning; that lives in the Vulnerabilities panel (OSV.dev, user-initiated).
  • It does not store raw response bodies, cookie values, or property values — only the metadata needed to render a finding.

Coverage by OWASP Top 10 (2025)

OWASP categoryChecksNotes
A01 Broken Access Control1One CSRF posture review prompt; route authorization is left to manual review.
A02 Security Misconfiguration47Missing or unsafe security headers, cookies, CORS, actuator exposure, dev-only switches, HttpFirewall, public management binding, exposed dev consoles, request-detail logging, SQL logging, and verbose framework log levels.
A03 Software Supply Chain Failures0Handed off to the Vulnerabilities panel for explicit OSV dependency scanning; broader provenance and CI/CD controls need manual review.
A04 Cryptographic Failures4HSTS, disabled-HSTS, and Secure-cookie reminders; deep cryptographic code review is not performed.
A05 Injection0Skipped by design — use a dedicated DAST and manual review.
A06 Insecure Design0Skipped by design — threat modeling and business-logic abuse cases require manual review.
A07 Authentication Failures5Spring Security wiring, in-config credentials, auto-generated default user, servlet session tracking.
A08 Software or Data Integrity Failures0Skipped by design until BootUI has safe static checks for deserialization, update integrity, or trusted artifact boundaries.
A09 Security Logging and Alerting Failures0Skipped by design — audit coverage, alerting, and log integrity require operational review.
A10 Mishandling of Exceptional Conditions5Verbose error responses and Spring Boot server.error.include-* disclosure settings.
Total62

The zero-check categories are scoped intentionally: BootUI flags bounded local signals that are commonly forgotten or risky, but it never produces a value judgement on application code, architecture, operations, or payload behavior that requires a manual review.

Severity scale

Severity reflects the worst plausible impact if the finding is real, not the likelihood:

  • HIGH — credible exploit path with clear impact (e.g. credentialed CORS to a permissive origin, H2 SQL console, no Spring Security on application mappings).
  • MEDIUM — leaks internals or weakens defenses but typically needs chaining (e.g. actuator value exposure, verbose errors, missing session cookie hardening).
  • LOW — defense-in-depth gap (e.g. missing security headers, broad CORS without credentials).
  • INFO — informational hygiene prompt (e.g. missing optional headers, dev-only switches that are expected locally).

Severity is shown in the panel alongside a confidence rating (Low / Medium / High) that reflects how reliably the underlying signal indicates the finding.

A01:2025 — Broken Access Control

PT-A01-001 — All Spring Security filter chains have CSRF disabled

  • Severity / confidence: INFO / Low
  • Source: Spring metadata (reflection over SecurityFilterChain beans)
  • Inspects: every registered SecurityFilterChain for the presence of CsrfFilter.
  • Fires when: at least one filter chain is registered, and none of them include CsrfFilter. The check fails safe to silent if Spring Security is absent or reflection raises any error.
  • Why it matters: CSRF protection is opt-out in Spring Security; disabling it in every chain is only safe for fully stateless, token-authenticated APIs. For browser-rendered routes it removes a primary defense.
  • Recommendation: leave CSRF enabled for any chain that serves a browser; only disable on chains that exclusively serve stateless APIs authenticated with bearer tokens.

These stable PT-A02-* checks now display either A02 Security Misconfiguration or A04 Cryptographic Failures, depending on whether the signal is cookie hardening or transport encryption.

  • Severity / confidence: MEDIUM / Medium
  • Source: synthetic HTTP (Set-Cookie on the GET response)
  • Fires when: any Set-Cookie header on the synthetic response lacks HttpOnly.
  • Recommendation: mark session and sensitive cookies HttpOnly so browser scripts cannot read them.
  • Severity / confidence: INFO / Low
  • Source: synthetic HTTP (Set-Cookie on the GET response)
  • Fires when: a Set-Cookie header lacks Secure.
  • Why INFO: the probe is local HTTP, so Secure is often genuinely absent in development. Use this as a reminder to confirm the HTTPS deployment sets Secure.
  • Severity / confidence: MEDIUM / Medium
  • Source: synthetic HTTP (Set-Cookie on the GET response)
  • Fires when: a cookie is set with SameSite=None but no Secure attribute. Browsers reject such cookies and they can leak over plaintext.
  • Severity / confidence: LOW / Medium
  • Source: Spring metadata (server.servlet.session.cookie.secure)
  • Fires when: the property is explicitly set to false. A missing value does not fire.
  • Recommendation: remove the override or set it to true for HTTPS deployments.
  • Severity / confidence: MEDIUM / High
  • Source: Spring metadata (server.servlet.session.cookie.http-only)
  • Fires when: the property is explicitly set to false. A missing value does not fire.
  • Recommendation: remove the override so the session identifier is not readable from JavaScript.
  • Severity / confidence: MEDIUM / High
  • Source: Spring metadata (server.servlet.session.cookie.same-site, server.servlet.session.cookie.secure)
  • Fires when: same-site=none is explicitly configured together with secure=false. A missing secure value does not fire because HTTPS deployments and reverse proxies may still set the Secure attribute correctly.
  • Recommendation: remove secure=false or set it to true whenever the session cookie is allowed cross-site.

A02/A04/A10:2025 — Misconfiguration, transport, and error-handling checks

These stable PT-A05-* checks now display A02 Security Misconfiguration for most configuration hygiene prompts, A04 Cryptographic Failures for HSTS/Secure-cookie reminders, and A10 Mishandling of Exceptional Conditions for verbose error disclosure.

PT-A05-001 — Synthetic security-header check failed

  • Severity / confidence: INFO / Low
  • Source: synthetic HTTP (GET)
  • Fires when: the synthetic GET request itself failed (connection refused, timeout, etc.). Confirms the rest of the HTTP-based checks are reliable.

PT-A05-002 — Missing X-Content-Type-Options nosniff header

  • Severity / confidence: LOW / Medium
  • Source: synthetic HTTP (GET)
  • Fires when: the GET response did not include X-Content-Type-Options: nosniff.

PT-A05-003 — Missing clickjacking protection header

  • Severity / confidence: LOW / Medium
  • Source: synthetic HTTP (GET)
  • Fires when: the GET response is missing both X-Frame-Options and a CSP frame-ancestors directive.

PT-A05-046 — X-Frame-Options uses an unsupported value

  • Severity / confidence: LOW / Medium
  • Source: synthetic HTTP (GET)
  • Fires when: X-Frame-Options is present, no CSP frame-ancestors directive is present, and none of the comma-separated header values is DENY or SAMEORIGIN. This catches obsolete values such as ALLOW-FROM.
  • Recommendation: use DENY, SAMEORIGIN, or a CSP frame-ancestors directive.

PT-A05-004 — Missing Referrer-Policy header

  • Severity / confidence: INFO / Medium
  • Source: synthetic HTTP (GET)
  • Fires when: the GET response did not include Referrer-Policy.

PT-A05-047 — Referrer-Policy leaks full URLs cross-origin

  • Severity / confidence: LOW / High
  • Source: synthetic HTTP (GET)
  • Fires when: the effective (last comma-separated) Referrer-Policy value is unsafe-url, which sends full URLs to same-origin and cross-origin destinations.
  • Recommendation: prefer no-referrer, strict-origin, or strict-origin-when-cross-origin.
  • Severity / confidence: LOW / Medium
  • Source: synthetic HTTP (Set-Cookie)
  • Fires when: a Set-Cookie lacks any SameSite attribute.
  • Recommendation: set SameSite=Lax or SameSite=Strict unless the cookie must be sent cross-site.

PT-A05-006 — Error response appears to expose implementation details

  • Severity / confidence: MEDIUM / Low
  • Source: synthetic HTTP (response body of the GET)
  • Fires when: the response body matches a verbose-error heuristic (stack-trace fragments, exception class names, framework error markers). Body content is matched against fixed markers and never persisted.

PT-A05-007 — CORS allows credentialed cross-origin requests

  • Severity / confidence: HIGH / Medium
  • Source: synthetic HTTP (OPTIONS)
  • Fires when: the preflight response sets Access-Control-Allow-Origin: * or echoes the attacker origin https://evil.example AND Access-Control-Allow-Credentials: true. That combination defeats the same-origin policy for authenticated requests.

PT-A05-008 — CORS allows a broad cross-origin request

  • Severity / confidence: LOW / Low
  • Source: synthetic HTTP (OPTIONS)
  • Fires when: the preflight allows * or the attacker origin without credentials. This is defense-in-depth rather than an immediate exploit, but signals an overly permissive CORS policy.

PT-A05-010 — Missing Content-Security-Policy header

  • Severity / confidence: LOW / Medium
  • Source: synthetic HTTP (GET)
  • Fires when: the GET response did not include a Content-Security-Policy header (distinct from a CSP that only contributes frame-ancestors).

PT-A05-011 — Response discloses server technology

  • Severity / confidence: LOW / Low
  • Source: synthetic HTTP (GET)
  • Fires when: the response includes Server or X-Powered-By headers. The evidence string notes whether the value appears to include a version.

PT-A05-012 — Strict-Transport-Security not observed

  • Severity / confidence: INFO / Low
  • Source: synthetic HTTP (GET)
  • Fires when: the response did not include Strict-Transport-Security. The probe uses local HTTP, so this is a reminder to confirm HSTS is set on the HTTPS edge or proxy.

PT-A05-048 — Strict-Transport-Security disables HSTS

  • Severity / confidence: LOW / High
  • Source: synthetic HTTP (GET)
  • Fires when: a Strict-Transport-Security header is observed with max-age=0, which clears browser HSTS state.
  • Recommendation: only send max-age=0 during a deliberate HSTS removal window; otherwise configure a positive max-age on HTTPS responses.

PT-A05-013 — Missing Permissions-Policy header

  • Severity / confidence: INFO / Low
  • Source: synthetic HTTP (GET)
  • Fires when: the response did not include Permissions-Policy.

PT-A05-014 — Error responses are configured to expose details

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (server.error.include-stacktrace, server.error.include-message)
  • Fires when: either property is set to always or on-param.

PT-A05-015 — Actuator shutdown endpoint is enabled

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (management.endpoint.shutdown.enabled)
  • Fires when: explicitly set to true. Combined with web exposure this is a denial-of-service trigger.

PT-A05-016 — Actuator mappings are present without Spring Security

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (Spring MVC mappings + Spring Security beans)
  • Fires when: at least one /actuator/* mapping exists, and no FilterChainProxy or SecurityFilterChain bean is registered. The evidence string highlights high-risk endpoints (/heapdump, /env, /httpexchanges//httptrace, /sessions, /threaddump, /loggers, /jolokia, /shutdown, /gateway/routes) before the generic mapping list so the worst exposures jump out.

PT-A05-032 — Actuator /heapdump endpoint is exposed

  • Severity / confidence: HIGH / High
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /{management-base-path}/heapdump is registered. A heap dump can contain credentials, session tokens, and PII pulled straight out of process memory.
  • Recommendation: do not expose heapdump over HTTP. Remove it from management.endpoints.web.exposure.include or set management.endpoint.heapdump.access=none.

PT-A05-033 — Actuator /httpexchanges (or /httptrace) endpoint is exposed

  • Severity / confidence: HIGH / High
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /httpexchanges (Spring Boot 3.x+) or the legacy /httptrace (Spring Boot ≤ 2.x) is registered. Both replay recent HTTP requests/responses, including Authorization, Cookie, and other sensitive headers.
  • Recommendation: keep it disabled in production. Where it is needed locally, require authentication and access controls.

PT-A05-034 — Actuator /sessions endpoint is exposed

  • Severity / confidence: HIGH / High
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /sessions is registered. The endpoint lists session IDs and supports deletion by ID.
  • Recommendation: do not expose sessions. If required, restrict to authenticated administrators only.

PT-A05-035 — Actuator /loggers endpoint is exposed

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /loggers is registered. The endpoint supports POST writes that change log levels at runtime; flipping a noisy package to DEBUG can leak request payloads and credentials into logs.
  • Recommendation: keep loggers behind authentication or disable web exposure.

PT-A05-036 — Actuator /threaddump endpoint is exposed

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /threaddump is registered. The dump reveals internal stack frames, library versions, and sometimes parameter values that aid reconnaissance.
  • Recommendation: do not expose threaddump unauthenticated.

PT-A05-037 — Actuator /gateway/routes endpoint is exposed

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /gateway/routes is registered (Spring Cloud Gateway). The endpoint lists internal route definitions and supports route mutation when actuator writes are enabled.
  • Recommendation: keep gateway actuator endpoints behind authentication and only expose what operators need.

PT-A05-038 — Actuator /logfile endpoint is exposed

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /logfile is registered. Streams the contents of the configured log file, which routinely captures stack traces, request data, and occasional secrets.
  • Recommendation: do not expose logfile over HTTP outside of trusted networks.

PT-A05-039 — Actuator /caches endpoint is exposed

  • Severity / confidence: LOW / Low
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /caches is registered. Supports DELETE requests that evict cache entries and can be abused as a denial-of-service primitive.
  • Recommendation: leave the endpoint disabled unless administrators need it; require authentication when enabled.

PT-A05-040 — Actuator /prometheus endpoint is exposed

  • Severity / confidence: INFO / Low
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping for /prometheus is registered. Metrics scraping is normally fine, but unauthenticated metrics still leak business-volume data (e.g. request counts, queue depths).
  • Recommendation: scrape the endpoint over a private network or behind authentication.

PT-A05-017 — H2 database console is enabled

  • Severity / confidence: HIGH / High
  • Source: Spring metadata (spring.h2.console.enabled, spring.h2.console.settings.web-allow-others)
  • Fires when: spring.h2.console.enabled=true. The evidence escalates when web-allow-others=true is also set, which exposes the unauthenticated SQL console to remote callers.

PT-A05-018 — Actuator endpoints are configured to reveal values

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (management.endpoint.env.show-values, management.endpoint.configprops.show-values)
  • Fires when: either is set to always. That reveals raw property values (potentially secrets) through /env or /configprops.

PT-A05-049 — Actuator web exposure includes every endpoint

  • Severity / confidence: MEDIUM / High
  • Source: Spring metadata (management.endpoints.web.exposure.include)
  • Fires when: the host application explicitly includes *, including indexed YAML/list forms. BootUI's own actuator defaults do not include *.
  • Recommendation: expose only the actuator endpoints operators need and keep sensitive endpoints disabled or authenticated.

PT-A05-050 — Actuator health details are always exposed

  • Severity / confidence: LOW / Medium
  • Source: Spring metadata (management.endpoint.health.show-details, management.endpoint.health.show-components)
  • Fires when: the host application configures health details or components as always. BootUI's local default show-details=always is ignored so the check only reports host configuration.
  • Recommendation: use when-authorized or never outside local development unless the health endpoint is strongly authenticated.

PT-A05-019 — Actuator CORS allows any origin

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (management.endpoints.web.cors.allowed-origins)
  • Fires when: the comma-separated list contains *.

PT-A05-020 — Spring Boot DevTools is on the classpath

  • Severity / confidence: INFO / Low
  • Source: Spring metadata (classpath presence of org.springframework.boot.devtools.RemoteSpringApplication)
  • Fires when: DevTools is on the classpath. Expected locally; the prompt exists to confirm the dependency is development-scoped and never ships to production.

PT-A05-021 — Missing Cross-Origin-Opener-Policy header

  • Severity / confidence: INFO / Low
  • Source: synthetic HTTP (GET)
  • Fires when: the response did not include Cross-Origin-Opener-Policy. Consider same-origin for sensitive UIs.

PT-A05-022 — Missing Cross-Origin-Resource-Policy header

  • Severity / confidence: INFO / Low
  • Source: synthetic HTTP (GET)
  • Fires when: the response did not include Cross-Origin-Resource-Policy. Consider same-origin or same-site.

PT-A05-023 — CORS preflight allows any method or header for a permissive origin

  • Severity / confidence: LOW / Medium
  • Source: synthetic HTTP (OPTIONS)
  • Fires when: the preflight echoes * or https://evil.example as the allowed origin and advertises Access-Control-Allow-Methods: * or Access-Control-Allow-Headers: *. Trusted origins do not trigger this check.

PT-A05-024 — TRACE method advertised in Allow header

  • Severity / confidence: LOW / Medium
  • Source: synthetic HTTP (OPTIONS)
  • Fires when: the Allow header lists TRACE. TRACE has no legitimate web-application use and can aid cross-site tracing attacks.

PT-A05-025 — server.error.include-exception is enabled

  • Severity / confidence: MEDIUM / High
  • Source: Spring metadata (server.error.include-exception)
  • Fires when: explicitly true. Exposes the underlying exception class in error responses.

PT-A05-026 — server.error.include-binding-errors reveals validation details

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (server.error.include-binding-errors)
  • Fires when: set to always or on-param. Surfaces field-level validation errors to API callers.

PT-A05-027 — Jolokia JMX-over-HTTP bridge is configured or present

  • Severity / confidence: MEDIUM / Low
  • Source: Spring metadata (management.endpoint.jolokia.enabled and/or org.jolokia.http.AgentServlet on the classpath)
  • Fires when: either condition holds. Jolokia exposes JMX over HTTP and has a long history of remote-code-execution exploits when reachable.

PT-A05-028 — Actuator env endpoint accepts POST writes

  • Severity / confidence: MEDIUM / High
  • Source: Spring metadata (management.endpoint.env.post.enabled)
  • Fires when: explicitly true. Allows POST /actuator/env to mutate Spring properties at runtime.

PT-A05-029 — Actuator CORS allowed-origin-patterns is a wildcard

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (management.endpoints.web.cors.allowed-origin-patterns)
  • Fires when: any token in the comma-separated list equals *. Combined with credentials this can expose actuator endpoints to any origin.

PT-A05-030 — spring.jpa.show-sql is enabled

  • Severity / confidence: INFO / Low
  • Source: Spring metadata (spring.jpa.show-sql)
  • Fires when: explicitly true. Logs full SQL statements; can leak schema and parameter values to log sinks.

PT-A05-031 — Verbose logging level configured for framework packages

  • Severity / confidence: INFO / Low
  • Source: Spring metadata (logging.level.root, logging.level.org.springframework, logging.level.org.springframework.web, logging.level.org.springframework.security)
  • Fires when: any of those four logger levels is set to DEBUG or TRACE. Verbose framework logging can leak request bodies, headers, and authentication detail.

PT-A05-051 — Request detail logging is enabled

  • Severity / confidence: INFO / High
  • Source: Spring metadata (spring.mvc.log-request-details, spring.codec.log-request-details)
  • Fires when: either property is explicitly true. These switches can expose request parameters, headers, and payload metadata when matching debug logging is enabled.
  • Recommendation: keep request detail logging disabled outside short local debugging sessions.

PT-A05-041 — API documentation or developer console is exposed

  • Severity / confidence: INFO / Medium
  • Source: Spring metadata (Spring MVC mappings)
  • Fires when: a mapping prefix matches a well-known developer surface: /v3/api-docs, /v2/api-docs, /swagger-ui, /graphiql, /graphql, or /h2-console. These are typically helpful locally but should not ship to production unauthenticated.
  • Recommendation: gate them behind a Spring profile (dev, local) or Spring Security rules; H2 console in particular should never be reachable from outside the JVM.

PT-A05-042 — Spring Security HttpFirewall is the permissive DefaultHttpFirewall

  • Severity / confidence: MEDIUM / High
  • Source: Spring metadata (reflection over the registered HttpFirewall bean)
  • Fires when: the resolved bean type is DefaultHttpFirewall. The Spring Security default is StrictHttpFirewall, which rejects URL-encoded path traversal, semicolons, and other request-smuggling vectors. Switching to DefaultHttpFirewall opens those classes back up.
  • Recommendation: remove the DefaultHttpFirewall override and rely on StrictHttpFirewall. If a specific request shape must be allowed, customise StrictHttpFirewall instead of replacing it.

PT-A05-043 — Management server bound to 0.0.0.0

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (management.server.port, management.server.address)
  • Fires when: a dedicated management port is configured and management.server.address is explicitly set to 0.0.0.0, ::, or [::]. By design we only flag the explicit wildcard — when the address property is unset we stay silent, so default Spring Boot deployments do not fire.
  • Recommendation: bind the management port to 127.0.0.1/::1, a private interface, or a dedicated network segment. Combine with authentication on every sensitive actuator.

PT-A05-044 — server.forward-headers-strategy trusts X-Forwarded-* from any client

  • Severity / confidence: LOW / Low
  • Source: Spring metadata (server.forward-headers-strategy)
  • Fires when: set to framework or native. Forwarded headers (X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto) are trusted from any source, which can be spoofed when the application is reachable directly rather than through a trusted reverse proxy.
  • Recommendation: only enable forwarded-headers handling when traffic actually flows through a trusted proxy that strips client-supplied headers, and confirm the proxy is the only ingress.

PT-A05-045 — server.error.include-path exposes request paths in error responses

  • Severity / confidence: INFO / Low
  • Source: Spring metadata (server.error.include-path)
  • Fires when: explicitly set to always or on-param. The default Spring Boot setting is never; switching it on echoes the request URI back in the error JSON, which can aid attacker reconnaissance when probing routes.
  • Recommendation: leave server.error.include-path at its default (never) outside of local debugging.

A07:2025 — Authentication Failures

PT-A07-001 — Spring Security is not on the classpath

  • Severity / confidence: HIGH / High
  • Source: Spring metadata (classpath + Spring MVC mappings)
  • Fires when: at least one application mapping exists and spring-security-web is absent. Application routes are served with no authentication or authorization layer.

PT-A07-002 — No Spring Security filter chain is configured

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (Spring Security beans + Spring MVC mappings)
  • Fires when: Spring Security is on the classpath, application mappings exist, but no FilterChainProxy or SecurityFilterChain bean is registered.

PT-A07-003 — Spring Security user password is set in configuration

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (spring.security.user.password defined)
  • Fires when: the property is defined. The value itself is never read — the check only inspects whether the property is configured. This signals an in-config credential that should be replaced with a real user store.

PT-A07-004 — Servlet session tracking modes include URL

  • Severity / confidence: MEDIUM / High
  • Source: Spring metadata (server.servlet.session.tracking-modes)
  • Fires when: the comma-separated list includes URL. URL session tracking leaks session identifiers in links, logs, and Referer headers.

PT-A07-005 — Spring Boot auto-generated security password is in use

  • Severity / confidence: MEDIUM / Medium
  • Source: Spring metadata (Spring Security bean inventory + spring.security.user.password presence)
  • Fires when: Spring Security is on the classpath, spring.security.user.password is not configured, and the context contains a bean named inMemoryUserDetailsManager — the canonical artefact of Spring Boot's UserDetailsServiceAutoConfiguration. That combination means the application is still running with the auto-generated user account and a random password printed once at startup.
  • Why it matters: anyone who tails the startup log captures the password forever, and the credential rotates only on restart. It also commonly survives into staging or demo deployments by accident.
  • Recommendation: configure a real UserDetailsService (or another authentication source) before exposing the application off the developer's machine. If you must keep a static account, set it explicitly via configuration so the auto-configured fallback is replaced.

Adding a new check

  1. Add a final class to PentestChecks.java extending AbstractPentestCheck. Pass a PentestDefinition with a unique stable ID (PT-<category>-NNN), title, OWASP 2025 category, severity, confidence, source (SPRING_METADATA or HTTP_SYNTHETIC), target, and recommendation.
  2. Implement evaluate(PentestContext) so it returns List.of() when the check is silent and one or more PentestFindingDtos otherwise. Reuse existing PentestContext accessors — do not introduce new HTTP traffic.
  3. Register the class in PentestCheckRegistry.ACTIVE_CHECKS. If the new check changes what an OWASP category covers, update the matching CoverageDefinition.scannedDescription.
  4. Add a focused test in PentestScannerTests: extend the uniqueness assertion to include the new ID, and verify the check stays silent on safe defaults and fires on a minimal failing fixture.
  5. Append the new check to this page in the matching OWASP section so the published catalogue stays in sync.