FixVibe

// 探索 / 聚焦

Debug & Admin Endpoints

/debug, /admin, /server-status — paths that should never be reachable from the internet.

概要

Security through obscurity is the most expensive kind. Every debug endpoint that ships to production behind nothing but 'no one will guess the URL' is a future post-mortem. The bug shape is consistent across stacks: framework provides a powerful dev tool (Spring Boot Actuator's `/env`, Django Debug Toolbar, ASP.NET trace.axd, Express's morgan logger, Apache's mod_status), developer enables it for local debugging, deploy pipeline ships the same config to production, attacker scans well-known paths and walks in. Spring4Shell, dozens of CVE-class disclosures, and entire breach categories trace back to this pattern.

運作方式

We probe ~31 well-known paths covering the major framework defaults: Spring Actuator (`/actuator`, `/actuator/env`, `/actuator/heapdump`, `/actuator/loggers`, `/actuator/trace`), Apache mod_status (`/server-status`, `/server-info`), nginx stub_status (`/nginx_status`), Django (`/admin/`, `/__debug__/`), Express dev tools (`/_debug`, `/debug`), .NET (`/trace.axd`, `/elmah.axd`), generic admin paths (`/admin`, `/dashboard`, `/console`), Kubernetes-adjacent paths (`/metrics`, `/healthz/?verbose=true`), database admin tools (`/phpmyadmin`, `/adminer.php`). Each probe checks for content matching the expected debug payload — a Spring Actuator response has distinctive JSON shape, Django admin has distinctive HTML, etc.

變種

Spring Boot Actuator

`/actuator/env` leaks every config var. `/actuator/heapdump` lets the attacker pull a memory snapshot containing secrets. Spring4Shell-class CVEs lurk here.

Apache mod_status

Shows current request URLs in real time, including sensitive paths and parameters. Visiting `/server-status?refresh=1` is a live wiretap.

Database admin tools

phpMyAdmin, Adminer, Robo 3T web — installed by 'just for a moment' decisions and never removed. Direct database access if not auth-gated.

Cloud / K8s metrics endpoints

`/metrics` exposed without auth leaks request rates, error counts, and (with verbose configs) request paths. Used for recon in target prioritization.

影響范圍

Tracks the endpoint. Spring `/actuator/env` is every config var, including secrets. `/actuator/heapdump` is a memory snapshot from which the attacker recovers session tokens, encryption keys, and credentials. Apache `/server-status` is a live wiretap. Django `/admin/` without authentication is database access. Even read-only metrics endpoints leak operational signal that helps attackers time exploits during peak load when defender attention is divided.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Block these paths at the edge — your CDN or WAF should refuse `/actuator/*`, `/server-status`, `/admin/`, `/__debug__`, etc., before they reach origin. Bind admin interfaces to internal network only (VPC private subnet, VPN-required IP allowlist). Require authentication on any management endpoint, even ones you think are 'just for monitoring.' For Spring Boot, set `management.server.port` to a separate port not exposed to the internet, plus `management.endpoints.web.exposure.include=health,info` to limit what's published. For Django, ensure `DEBUG=False` in production and remove `django-debug-toolbar` from `INSTALLED_APPS`. For Apache/nginx, comment out the status modules entirely if you don't actively use them. Audit your route table for any path containing 'debug', 'admin', 'console', '.well-known/server-info', and gate or remove each.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

探索
142
本類别中触發的测試
模塊
23
專属 探索 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

Debug & Admin Endpoints — 漏洞聚焦 | FixVibe · FixVibe