Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Hard coding sensitive information exposes that information to attackers. The severity of this rule can vary depending on the kind of information that is disclosed. Frequently, the information disclosed is password or key information, which can lead to remote exploitation. Consequently, a high severity rating is given but may be adjusted downwards according to the nature of the sensitive data

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC03-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
CodeSonar
4.2

FB.SECURITY.DMI_CONSTANT_DB_PASSWORD

FB.SECURITY.DMI_EMPTY_DB_PASSWORD

Hardcoded constant database password

Empty database

Include Page
CodeSonar_V
CodeSonar_V

JAVA.HARDCODED.PASSWD
JAVA.MISC.SD.EXT

Hardcoded Password (Java)
Sensitive Data Written to External Storage (Java)

password

Coverity7.5

HARDCODED_CREDENTIALS
CONFIG
FB.DMI_CONSTANT_DB_ PASSWORD
FB.DMI_EMPTY_DB_PASSWORD

Implemented
Fortify1.0

Password_Management
Password_Management__Hardcoded_Password

Partially implemented
Parasoft Jtest
9.5SECURITY.WSC.HCCS, SECURITY.WSC.HCCK, SECURITY.WSC.AHCA
Include Page
Parasoft_V
Parasoft_V
CERT.MSC03.HCCS
CERT.MSC03.HCCK
CERT.MSC03.AHCA
Avoid passing hardcoded usernames/passwords/URLs to database connection methods
Avoid using hard-coded cryptographic keys
Avoid hard-coding the arguments to certain methods
Implemented
PMD1.0AvoidUsingHardCodedIPPartially implemented
SonarQube
Java Plugin
Include Page
SonarQube
Java Plugin
_V
SonarQube
Java Plugin
_V
S1313
S2068
Partially implemented

Related Vulnerabilities

GERONIMO-2925 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.

Related Guidelines

Android Implementation Details

Hard-coded information can be easily obtained on Android by using the apktool to decompile an application or by using dex2jar to convert a dex file to a jar file.

Bibliography

[Chess 2007]

Section 11.2, "Outbound Passwords: Keep Passwords out of Source Code"

[Fortify 2008]

"Unsafe Mobile Code: Database Access"

[Gong 2003]

Section 9.4, "Private Object State and Object Immutability"

...


...