Published in


Understanding Spring4Shell

What is Spring?

Spring is known to be an open source framework mainly used for the creation of Java applications. It’s actually much more than that, since its architecture and design are focused on efficiency and simplicity, but explaining more about this particular framework is not the purpose of this article. More information can be found here or here and its code is listed here.

How used is it?

It’s possible to determine approximately how many internet-exposed servers have some version of Spring installed. For this, one of the options is shodan.

The technique utilized is basically a favicon hashing. The particular query in Shodan is “http.favicon.hash:116323821”.

In the following image we can see there are more than 180.000 active applications running some version of Spring:

Knowing a product’s hash’s favicon is fundamental. A code like the following one is used:

import mmh3

import requests

import codecs

headers = {

‘User-Agent’: ‘Mozilla’,


dir=input(‘link to favicon’)

response = requests.get(dir,headers=headers,verify=False)

favicon =codecs.encode(response.content,’base64')

hash = mmh3.hash(favicon)

print (hash)

Spring4shell vulnerability

What is Spring4shell?

Spring4shell is a critical vulnerability (9.8/100) in Spring Core. It allows an attacker with no authentication privileges to execute a remote code. Particularly, this vulnerability affects Spring MVC and Spring WebFlux.

There are some requirements in order for an application to be vulnerable:

  • JDK version >= 9.
  • Spring should be installed in versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 or previous ones.
  • The application should be configured with Apache Tomcat as Servlets container.
  • Spring-webmvc or spring-webflux dependencies.
  • A WAR file format instead of a traditional JAR one.

Apart from being a critical vulnerability that affects many servers and applications, it was published before the security patch was released and a CVE had been assigned.

Nowadays, there are many Github repositories and pages with functional POCs:





On the other hand, an “early announcement” was published at the Spring website a few days ago, mentioning the problem and informing about some patch releases and ways of fixing this vulnerability without having to change the version.

How to detect it? Am I vulnerable?

If the requirements for this application to be vulnerable are met, then it’s very likely that the vulnerability exists. However, hours after the first POC was published, there already were ways to make sure if the vulnerability existed:

  • The ProjectDiscovery team launched a template for Nuclei (here).
  • There are some repositories not officially linked to the Nmap project that contain scripts to detect it using the tool (here).

Are you interested in our products? Learn more🌟




Faraday Platform helps you perform security engineering by maximizing your team’s resources, increasing risk visibility by converting all your data into valuable information https://www.faradaysec.com/

Recommended from Medium

{UPDATE} Farming Tractor Simulator 2018 Hack Free Resources Generator

{UPDATE} Dice With Buddies: Social Game Hack Free Resources Generator

Thieves Target Audis In Denver

eLearnSecurity Penetration Testing eXtreme Review

How to root Elephone P9 water

Root LG Phone

New Security Threats in our Work-From-Home Era

Ransomware & You

How to root Bluboo X3

Root LG Phone

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Faraday Team

Faraday Team

More from Medium

Using SANS SIFT Workstation or REMnux with SSL Decrypting Proxies

Who’s in charge of security in your company?

A strategy to optimize monitoring user authentication events

Security Blue Team’s BTL1 Certification