-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathHardcodedCredentialsApiCall.qhelp
More file actions
44 lines (37 loc) · 1.37 KB
/
HardcodedCredentialsApiCall.qhelp
File metadata and controls
44 lines (37 loc) · 1.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Including unencrypted hard-coded authentication credentials in source code is dangerous because
the credentials may be easily discovered. For example, the code may be open source, or it may
be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn,
might enable them to gain unauthorized access, or to obtain privileged information.
</p>
</overview>
<recommendation>
<p>
Remove hard-coded credentials, such as user names, passwords and certificates, from source code.
Instead, place them in configuration files, environment variables or other data stores if necessary.
If possible, store configuration files including credential data separately from the source code,
in a secure location with restricted access.
</p>
</recommendation>
<example>
<p>
The following code example connects to a database using a hard-coded user name and password:
</p>
<sample src="HardcodedCredentialsApiCall.java"/>
<p>
Instead, the user name and password could be supplied through environment variables,
which can be set externally without hard-coding credentials in the source code.
</p>
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>.
</li>
</references>
</qhelp>