GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in Spring Boot

Shadow APIs represent the 'dark matter' of your attack surface. In Spring Boot environments, these typically manifest as undocumented @RestControllers, forgotten @RequestMapping paths used for debugging, or default Actuator endpoints exposed to the public internet. Attackers scan for these 'leaky' routes to bypass standard authentication flows or dump PII. To eliminate them, you must shift from an 'allow-by-default' routing model to a strict, whitelist-only security posture combined with automated API discovery.

The Vulnerable Pattern

@RestController
public class InternalToolsController {
    // SHADOW ENDPOINT: Undocumented, no auth, forgotten after dev
    @GetMapping("/debug/config-dump")
    public Map dumpSystemProperties() {
        return System.getProperties().entrySet().stream()
            .collect(Collectors.toMap(e -> e.getKey().toString(), e -> e.getValue()));
    }
}

// application.properties
management.endpoints.web.exposure.include=*

The Secure Implementation

The fix involves three critical layers: 1. Deny-by-Default: The .anyRequest().denyAll() directive in Spring Security ensures that even if a developer adds a new @RestController without notifying the security team, it remains unreachable. 2. Actuator Hardening: We move from a wildcard exposure (*) to a strict whitelist, disabling sensitive endpoints like /env, /heapdump, or /mappings in production. 3. Environment Segregation: Using Spring Profiles (application-prod.yml) to ensure that debug-level introspection tools are physically absent from the production runtime environment.

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/v1/public/**").permitAll()
                .requestMatchers("/api/v1/private/**").hasRole("USER")
                // DENY BY DEFAULT: Any route not explicitly documented is blocked
                .anyRequest().denyAll()
            )
            .build();
    }
}

// application-prod.yml
management:
endpoints:
enabled-by-default: false
web:
exposure:
include: “health,info”
endpoint:
health:
show-details: never

System Alert • ID: 7100
Target: Spring Boot API
Potential Vulnerability

Your Spring Boot API might be exposed to Shadow API Exposure

74% of Spring Boot apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X