DEV.co
Open-Source Security · AabyssZG

SpringBoot-Scan

SpringBoot-Scan is a Python-based penetration testing framework targeting Spring Boot applications. It scans for sensitive information leakage endpoints and provides exploitation tools for known Spring Framework vulnerabilities including CVE-2022-22965, CVE-2022-22963, and others.

Source: GitHub — github.com/AabyssZG/SpringBoot-Scan
2.3k
GitHub stars
177
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryAabyssZG/SpringBoot-Scan
OwnerAabyssZG
Primary languagePython
LicenseMIT — OSI-approved
Stars2.3k
Forks177
Open issues2
Latest release2.7.2 (2025-11-09)
Last updated2025-11-09
Sourcehttps://github.com/AabyssZG/SpringBoot-Scan

What SpringBoot-Scan is

Written in Python, SpringBoot-Scan performs endpoint enumeration using built-in dictionaries, supports multiple CVE exploits via pluggable modules, integrates with asset discovery APIs (ZoomEye, Fofa, Hunter), and includes features for HTTP proxy support, custom headers, and batch scanning. The tool offers both CLI and GUI interfaces and supports interactive command execution for RCE vulnerabilities.

Quickstart

Get the SpringBoot-Scan source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/AabyssZG/SpringBoot-Scan.gitcd SpringBoot-Scan# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Authorized Red Team Assessments

Identify sensitive Spring Boot endpoints (actuators, config servers, Eureka registries) and test for known CVE exploits during authorized penetration testing engagements.

Spring Framework Vulnerability Auditing

Batch scan internal or external Spring Boot instances against a curated set of published CVEs (CVE-2022-22965, CVE-2021-21234, etc.) to prioritize patching efforts.

Asset Discovery and Triage

Leverage integrated asset search APIs to discover Spring Boot instances on the internet, export targets, and systematically assess vulnerability exposure across multiple hosts.

Implementation considerations

  • Install Python dependencies (pip install -r requirements.txt) and verify Python 3.x; slow pip installs can use Tsinghua mirror.
  • Configure HTTP proxy and custom headers via text files if testing behind corporate firewalls or from restricted networks.
  • Adjust the global timeout variable (outtime = 10) in core modules (run.py, poc.py, vul.py) if scanning slow or distant targets.
  • Review and populate the Dir.txt dictionary; built-in endpoints cover common leakage vectors but may require customization for non-standard Spring Boot layouts.
  • Use delay scanning (-uf with user-specified delays) to avoid IP blocks or rate limiting when batch scanning multiple targets.

When to avoid it — and what to weigh

  • Unauthorized or Production Testing — Do not use on systems you do not own or have explicit written permission to test. The tool is designed for exploiting real vulnerabilities and could disrupt operations.
  • Expecting Passive Reconnaissance — SpringBoot-Scan actively sends HTTP requests and executes exploits; it is not suitable for stealth or evasive assessment scenarios.
  • Relying on Outdated Vulnerability Coverage — The tool covers specific published CVEs. If your target runs newer Spring versions or patches, or uses uncommon configurations, detection may fail.
  • Legal or Compliance-Sensitive Environments — Ensure your legal and compliance teams approve the tool's use before deploying in regulated industries; exploit code may trigger alerts or compliance violations.

License & commercial use

MIT License: permissive, allows commercial use, modification, and distribution with attribution and inclusion of the license. No patent protection or liability clause.

MIT permits commercial use, but the tool contains exploit code that may violate laws if used on unauthorized systems. Legal review is mandatory before commercializing or bundling this tool. Antivirus software may flag vul.py and GUI executables as malicious due to built-in exploit payloads.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

The tool is designed to *exploit* real vulnerabilities, not merely scan for them. Successful exploitation can lead to remote code execution, arbitrary file access, or data exfiltration on target systems. Use only on systems you own or have explicit legal authorization to test. Output files (error.log, dumpout.txt) may contain sensitive data or exploit artifacts; secure them accordingly. Antivirus and WAF systems may block or quarantine the tool or its outputs. No built-in logging, no egress filtering, and no sandboxing; assume full impact on a vulnerable target.

Alternatives to consider

Burp Suite (with custom extensions)

Commercial, closed-source scanner with broader coverage, professional support, and active vulnerability database updates; suitable for enterprises but lacks Spring-specific exploit automation.

OWASP ZAP

Open-source, community-driven web application scanner; less Spring-specific than SpringBoot-Scan but more general-purpose; no built-in Spring CVE exploits.

Nuclei (with templates)

Lightweight, template-based vulnerability scanner; Spring-related templates exist in the community, offering modularity and ease of contribution, but no interactive command execution for RCE.

Software development agency

Build on SpringBoot-Scan with DEV.co software developers

Devco specializes in custom penetration testing frameworks and security-hardened application development. Contact our team to assess your Spring Boot infrastructure or build a tailored scanning solution.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

SpringBoot-Scan FAQ

Is this tool legal to use?
Only on systems you own or have explicit written authorization to test. Unauthorized use violates computer fraud and abuse laws in most jurisdictions. Always obtain legal clearance before testing.
What if my Spring Boot version is patched?
The tool targets specific CVE versions. If your target is patched, exploits will likely fail. Use the scanning mode (-u) to identify which endpoints exist; exploitation is secondary.
Can I use this behind a corporate proxy?
Yes, use the -p parameter to specify proxy (IP:port) and optional authentication (user:pass@IP:port). The tool validates proxy connectivity before scanning.
Does the tool update its CVE list automatically?
No, updates are manual via GitHub releases. Check the latest release notes to verify which CVEs are supported; new vulnerabilities require code updates.

Custom software development services

DEV.co helps companies turn open-source tools like SpringBoot-Scan into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Need expert guidance on Spring security testing?

Devco specializes in custom penetration testing frameworks and security-hardened application development. Contact our team to assess your Spring Boot infrastructure or build a tailored scanning solution.