Every day, Inspectiv uncovers brand-new vulnerabilities across diverse environments. These findings aren’t theoretical—they’re active weaknesses that attackers would happily exploit today. By learning from fresh discoveries as they emerge, you can harden your systems before adversaries notice.
Below are three high-impact issues recently identified across customer environments, along with the practical defenses your teams can apply immediately. Note some details have been changed for educational purposes.
Attackers love predictability. When object identifiers are short, sequential, or guessable, even limited authentication can accidentally grant access to data that should be off-limits. Enumeration becomes trivial—and once attackers find one valid object ID, they can often harvest many more.
IDOR attacks continue to be one of the most common (and devastating) real-world application flaws. These patterns were observed just this week, demonstrating how often predictable IDs slip into production systems unnoticed.
Finally, here’s a sample HTTP request that should help avoid this kind of attack.
POST /directory1/directory2/action/{numerical-ID-1}/sample HTTP/2 Host: sample-app.com{"id":{numerical-ID-2}}
Note each object should be checked for proper ACLs. And of course numerical incrementing should not result in a successful result.
Attackers always look for shortcuts—and default framework features often hand them over on a silver platter. One recent finding involved an exposed heapdump endpoint, providing deep insight into the application’s internal state.
Heapdumps can contain secrets, credentials, tokens, or sensitive user data. If an attacker can download one without authentication, they gain a treasure map of your application’s internals. This comes up for Go, Java JMX, and Spring Boot Actuator, all of which ship with some level of default heapdumps in current or near-current versions.
https://sampleapp.com/hidden-endpoint/actuator/heapdumphttps://sampleapp.com/hidden-endpoint/actuator/configpropshttps://sampleapp.com/hidden-endpoint/actuator/loggersSpring Boot Actuator
In your application.properties or yaml equivalent make sure you set the following
Go
management.endpoint.heapdump.enabled=false
management.endpoint.threaddump.enabled=false
management.endpoint.configprops.enabled=false
Disable importing pprof in production builds
//go:build dev
package main
import _ "net/http/pprof"If you must have it then ensure it can only be bound to a localhost on a unique port so you must have access to the host to reach it
go func() {
mux := http.NewServeMux()
mux.HandleFunc("/debug/pprof/", pprof.Index) // if using explicit handlers
_ = http.ListenAndServe("127.0.0.1:6060", mux)
}()
Java JMX
You should ensure you do not accidentally enable remote JMX
com.sun.management.jmxremote.port
com.sun.management.jmxremote.rmi.portIf you must use it then make sure to enable authentication, ssl, and have it bind to an internal address that requires you to have access to the host.
Node
Follows a similar pattern; you should never run --inspect on a public interface.
If you must allow it than make sure to bind to local and require access to the host via ssh port forwarding or private VPN and make sure the port is not exposed to the internet.
node --inspect=127.0.0.1:9229 app.js
This one is as bad as it sounds—an administrative interface accessible without authentication. Even limited admin functionality in the open can lead directly to account takeover, data manipulation, or full environment compromise.
Attackers routinely scan for common admin paths. If one answers without a login challenge, compromise becomes nearly instantaneous. This is a “red flag” vulnerability we still find far too often.
Inspectiv Insights - How to Avoid Introducing Vulnerabilities that Others Missed