Hardcoding Hard coding sensitive information, such as passwords, server IP addresses and encryption keys, can expose the information to attackers. Anyone who has access to the class files can decompile them and consequently can discover the sensitive information. Consequently, hardcoding programs must not hard code sensitive information is forbidden.
| Wiki Markup |
|---|
HardcodingHard coding sensitive information also increases the need to manage and accommodate changes to the code. For example, changing a hard hardcodedcoded password in a fielded program may require distribution of a patch \[[Chess 2007|AA. Bibliography#Chess 07]\]. |
...
A malicious user can use the javap -c Password command to disassemble the class and discover the hardcoded hard coded password. The output of the disassembler as shown below, reveals the password guest in cleartextclear text.
| Code Block |
|---|
Compiled from "Password.java"
class Password extends java.lang.Object{
java.lang.String password;
Password();
Code:
0: aload_0
1: invokespecial #1; //Method java/lang/Object."<init>":()V
4: aload_0
5: new #2; //class java/lang/String
8: dup
9: ldc #3; //String guest
11: invokespecial #4; //Method java/lang/String."<init>":(Ljava/lang/String;)V
14: putfield #5; //Field password:Ljava/lang/String;
17: return
public static void main(java.lang.String[]);
Code:
0: return
}
|
...
To further limit the exposure time of the sensitive password, replace BufferedReader with a direct NIO buffer, which can be cleared immediately after use.
Noncompliant Code Example (
...
Hard Coded Database Password)
This noncompliant code example hardcodes hard codes the user name and password fields in the SQL connection request.
...
It is also permissible to prompt the user for the user name and password at runtime.
Risk Assessment
Hardcoding Hard coding sensitive information exposes that information to attackers.
...
MSC18-C. Be careful while handling sensitive data, such as passwords, in program code | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="382dba2d2adb29e9-7195cce1-45404b35-ad0a88dc-f7b47ffb24085c446b6f36d9"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Hard-coded Password [XYP]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE ID 259, "Use of Hard-coded Password" | ||||
| CWE ID 798, "Use of Hard-coded Credentials" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c3e4fbc43c7f16e8-497678fb-4c6c494d-bd9b8f4d-fcf2ca7cffac807b5d127ae2"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | 11.2 Outbound Passwords: Keep Passwords out of Source Code | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3385eba87c03397e-dd3c6570-41ec43d0-8a97a1da-5c8dfe420829d950aabab34e"><ac:plain-text-body><![CDATA[ | [[Fortify 2008 | AA. Bibliography#Fortify 08]] | "Unsafe Mobile Code: Database Access" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ef2a2d7984797647-08764dcf-4f714672-9f5c8923-77a2a4fc32adc0b26f115639"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | 9.4 Private Object State and Object Immutability | ]]></ac:plain-text-body></ac:structured-macro> |
...