Hardcoded Credentials
ID |
csharp.hardcoded_credentials |
Severity |
high |
Resource |
Information Leak |
Language |
CSharp |
Tags |
CWE:798, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.3 |
Description
Hardcoded credentials refer to embedding usernames, passwords, or other forms of authentication data directly within the source code. This practice poses significant security risks, as it may enable unauthorized access if the code is exposed.
Rationale
When credentials such as usernames, passwords, API tokens, or cryptographic keys are statically coded into an application, they become susceptible to being exposed through source code leaks or reverse engineering. This issue is particularly concerning in Java applications, where decompilation attacks can easily reveal sensitive information embedded within the code.
Here is an example of vulnerable code with hardcoded credentials:
using System;
using System.Configuration;
using System.Web.Configuration;
class Program
{
static void OpenWebConfigurationWithHardcodedCredentials()
{
// Hardcoded user and password.
string user = "domain\\username"; // Replace with the actual domain and username
string password = "userPassword"; // Replace with the actual password
try
{
// Get the configuration object for a Web application
// running on a remote server.
Configuration config = WebConfigurationManager.OpenWebConfiguration( // FLAW x2
"/configTest", // Virtual path of the application
"Default Web Site", // Site name
null, // Physical path, null since it's a remote server
"myServer", // Server name
user, // User name
password) as Configuration; // Password
if (config != null)
{
// Get the appSettings section.
KeyValueConfigurationCollection appSettings = config.AppSettings.Settings;
// Loop through the collection and display the appSettings key, value pairs.
Console.WriteLine(
"[appSettings for Web app on server: myServer user: {0}]", user);
foreach (string key in appSettings.AllKeys)
{
Console.WriteLine("Name: {0} Value: {1}",
key, appSettings[key].Value);
}
}
else
{
Console.WriteLine("Configuration could not be loaded.");
}
}
catch (Exception ex)
{
Console.WriteLine("An error occurred: " + ex.Message);
}
}
static void Main(string[] args)
{
OpenWebConfigurationWithHardcodedCredentials();
}
}Remediation
To remediate the issue of hardcoded credentials in your applications, follow these best practices:
Externalize Credentials: Store sensitive information such as usernames and passwords in external configuration files, environment variables, or secure vaults. This method ensures that the actual codebase does not contain sensitive data, reducing the risk of exposure.
Environment Variables: Use environment variables to manage credentials. They can be set on the server or container running the application and accessed by the application at runtime.
Secure Configuration Management: Use a secure configuration management tool like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to store and access sensitive credentials securely. These tools provide mechanisms to manage, rotate, and control access to credentials.
Logical Separation: Implement logical separation of sensitive code and use principles like the 12-factor app to effectively manage configuration outside the source code.
Rotate and Audit: Regularly rotate credentials and perform audits to ensure that no hardcoded sensitive information exists within the codebase.
By adopting these remediation strategies, you can significantly reduce the risk associated with hardcoded credentials and ensure that your applications maintain a strong security posture.
References
-
CWE-798 : Use of Hard-coded Credentials.
-
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.