ABAP : Empty password
Classification
Overview
An empty password may lead to an application compromise.
Eliminating the security risks related to the specified in the source code empty passwords is extremely difficult. The information that a certain account accepts an empty password is accessible to at least every developer of the application. Moreover, after the application is installed, removing an empty password from its code possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to know the parameters of the special account. If these parameters become known to an attacker, system administrators will be forced either to neglect the security or to restrict the access to the application.
References
- Use of hard-coded password
- CWE-259: Use of Hard-coded Password
- OWASP Top 10 2013-A5-Security Misconfiguration
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- Handling passwords used for auth in source code - stackoverflow.com
- How to securely hash passwords? - security.stackexchange.com
- OWASP Top 10 2017-A2-Broken Authentication
- CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration