16 lines
914 B
Plaintext
16 lines
914 B
Plaintext
Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
|
|
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]
|
|
|
|
Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.
|
|
|
|
|
|
This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.
|
|
|
|
|
|
It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...
|