Page History

Hard coding sensitive information, such as passwords, server IP addresses, and encryption keys can expose the information to attackers. Anyone who has access to the class files can decompile them and discover the sensitive information. ConsequentlyLeaking data protected by International Traffic in Arms Regulations (ITAR) or the Health Insurance Portability and Accountability Act (HIPAA) can also have legal consequences. Consequently, programs must not hard code sensitive information.unmigrated-wiki-markup

Hard coding sensitive information also increases the need to manage and accommodate changes to the code. For example, changing a hard-coded password in a deployed program may require distribution of a patch \ [[Chess 2007|AA. References#Chess 07]\].

Noncompliant Code Example

This noncompliant code example includes a hard-coded server IP address in a constant String. :

class IPaddress {
  String ipAddress = new String("172.16.254.1");
  public static void main(String[] args) {
    //...
  }
}

A malicious user can use the javap -c IPaddress command to disassemble the class and discover the hard-coded server IP address. The output of the disassembler reveals the server IP address 172.16.254.1 in clear text:

Compiled from "IPaddress.java"
class IPaddress extends java.lang.Object{
java.lang.String ipAddress;

IPaddress();
  Code:
   0:     aload_0
   1:     invokespecial     #1; //Method java/lang/Object."<init>":()V
   4:     aload_0
   5:     new   #2; //class java/lang/String
   8:     dup
   9:     ldc   #3; //String 172.16.254.1
   11:    invokespecial     #4; //Method java/lang/String."<init>":(Ljava/lang/String;)V
   14:    putfield    #5; //Field ipAddress:Ljava/lang/String;
   17:    return

public static void main(java.lang.String[]);
  Code:
   0:     return

}

...

This compliant solution retrieves the server IP address from an external file located in a secure directory. Exposure , as recommended by FIO00-J. Do not operate on files in shared directories. It reads the file in compliance with FIO10-J. Ensure the array is filled when using read() to fill an array. Exposure of the IP address is further limited by clearing storing it in a char array rather than a java.lang.String, and by clearing the server IP address from memory immediately after use.

class IPaddress {
  public static void main(String[] args) throws IOException {
    char[] ipAddress = new char[100];
    int offset = 0;
    int charsRead = 0;
    BufferedReader br = null;
    try {
      br = new BufferedReader(new InputStreamReader(
             new FileInputStream("serveripaddress.txt")));

    // Reads thewhile server((charsRead IP address into the char array,= br.read(ipAddress, offset, ipAddress.length - offset))
    //  returns the number of bytes read != -1) {
    int    noffset += br.read(ipAddress);  
 charsRead;
        if (offset >= ipAddress.length) {
      // Validate server IP addressbreak;
    //  Manually clear out}
 the server IP address
  }
  // immediately after use 
    for (int i = n - 1; i >= 0; i--) {  // ... Work with IP address

    } finally {
      ipAddress[i] =Arrays.fill(ipAddress,  (byte) 0);
    }
    br.close();
    }
  }
}

To further limit the exposure time of the sensitive server IP address, replace BufferedReader with a direct native input/output (NIO) buffer, which can be cleared immediately after use.

...

The user name and password fields in the SQL connection request are hard coded in this noncompliant code example.:

public final Connection getConnection() throws SQLException {
  return DriverManager.getConnection(
      "jdbc:mysql://localhost/dbName", 
      "username", "password");
}

Note that the one- and two-two argument java.sql.DriverManager.getConnection() methods can also be used incorrectly.

...

This compliant solution reads the user name and password from a configuration file located in a secure directory. :

public final Connection getConnection() throws SQLException {
  char[]String username = new char[16];
  char[]String password = new char[16];
  // Username and password are read at runtime from a secure config file
  Connection connection =return DriverManager.getConnection(
      "jdbc:mysql://localhost/dbName",
      username.toString(), password.toString());
  for (int i = username.length - 1; i >= 0; i--) {  
    username[i] = 0;
  }
  for (int i = password.length - 1; i >= 0; i--) {  
    password[i] = 0;
  }
  return connection;
}

It is also permissible to prompt the user for the user name and password at runtime.

When possible, sensitive information such as passwords should be stored in character arrays rather than strings because the Java Virtual Machine may retain strings long after they are no longer needed. However, this example uses strings because DriverManager.getConnection() requires them.

Risk Assessment

Hard coding sensitive information exposes that information to attackers. The severity of this rule can vary depending on the kind of information that is disclosed. Frequently, the information disclosed is password or key information, which can lead to remote exploitation. Consequently, a high severity rating is given but may be adjusted downwards according to the nature of the sensitive data. 

Automated Detection

Related Vulnerabilities

GERONIMO-2925, GERONIMO-1135 describes  describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.

Related Guidelines

Bibliography

Android Implementation Details

Hard-coded information can be easily obtained on Android by using the apktool to decompile an application or by using dex2jar to convert a dex file to a jar file.

Bibliography

...

Image Added Image Added Image Removed      49. Miscellaneous (MSC)