Home / Vulnerability Database / Config files : Hardcoded encryption key in config
Config files
Config files : Hardcoded encryption key in config
Classification
OWASP Mobile Top 10 2014
OWASP Mobile Top 10 2016
OWASP Top 10 2021
OWASP MASVS
HIPAA
CWE/SANS Top 25 2011
Overview
Encryption key is hardcoded in a configuration file. This may lead to an application data compromise.
Eliminating security risks related to hardcoded passwords or keys is extremely difficult. This data is available at least to every developer of the application. Moreover, after the application is installed, removing password or key from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to find out the value of the key.
Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.
References
- Use of hard-coded password
- CWE-321: Use of Hard-coded Cryptographic Key
- Mobile Top 10 2014-M6-Broken Cryptography
- OWASP Top 10 2013-A5-Security Misconfiguration
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- RNCryptor README - github.com
- Mobile Top 10 2016-M5-Insufficient Cryptography
- CWE-798: Use of Hard-coded Credentials
MEDIUM
DerScanner Severity Score
Do you want to fix Config files : Hardcoded encryption key in config in your application?
See also
Config files
Config files : Text4Shell Vulnerability
Config files
Config files : Incorrect directory deletion
Config files