DerScanner
Home / Vulnerability Database / 1C : Hardcoded password
1C

1C : Hardcoded password

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session ManagementA6-Sensitive Data Exposure
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP MASVS
V2: 2.2.(L1/L2/L1+R/L2+R)V2: 2.14.(L2/L2+R)V8: 8.11.(L1+R/L2+R)
OWASP ASVS
Stored CryptographyStored CryptographyAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthentication
PCI DSS 4.0
6.5.66.2.48.3.28.6
HIPAA
§164.312 (a)(1)
CWE
CWE-256CWE-257CWE-259CWE-522CWE-656CWE-798CWE-1028CWE-1032
CWE/SANS Top 25 2011
CWE-798
CWE/SANS Top 25 2021
CWE-522CWE-798

Overview

Password is explicitly defined in the source code. This may lead to an application data compromise.

Eliminating security risks related to hardcoded passwords is extremely difficult. These passwords are at least accessible to every developer of the application. Moreover, after the application is installed, removing password from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to know the parameters of the special account. If these parameters become known to an attacker, system administrators will be forced either to neglect the safety, or to restrict the access to the application.

References

  1. Use of hard-coded password
  2. CWE-259: Use of Hard-coded Password
  3. OWASP Top 10 2013-A5-Security Misconfiguration
  4. OWASP Top 10 2013-A6-Sensitive Data Exposure
  5. Handling passwords used for auth in source code - stackoverflow.com
  6. How to securely hash passwords? - security.stackexchange.com
  7. OWASP Top 10 2017 A2-Broken Authentication
  8. OWASP Top 10 2017-A3-Sensitive Data Exposure
  9. CWE-798: Use of Hard-coded Credentials
  10. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  11. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
CRITICAL

DerScanner Severity Score

Do you want to fix 1C : Hardcoded password in your application?

See also

1C

1C : Null encryption key

1C

1C : Memory leak

1C

1C : Empty encryption key