DerScanner
Home / Vulnerability Database / Ruby : Hardcoded sensitive data
Ruby

Ruby : Hardcoded sensitive data

Classification

OWASP Mobile Top 10 2014
M2-Insecure Data StorageM5-Poor Authorization and Authentication
OWASP Mobile Top 10 2016
M4-Insecure Authentication
OWASP MASVS
V2: 2.2.(L1/L2/L1+R/L2+R)V2: 2.14.(L2/L2+R)V8: 8.11.(L1+R/L2+R)
OWASP ASVS
Stored Cryptography
PCI DSS 4.0
6.2.48.3.2
HIPAA
§164.312 (a)(1)
CWE
CWE-798
CWE/SANS Top 25 2011
CWE-798
CWE/SANS Top 25 2021
CWE-798

Overview

Sensitive data is hardcoded. This may lead to an application data compromise.

Eliminating security risks related to hardcoded sensitive data (e.g. PIN codes, CVV numbers, etc.) is extremely difficult. This data is at least accessible to every developer of the application. Moreover, after the application is installed, removing sensitive data from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to get access to the data. If it becomes known to an attacker, system administrators will be forced either to neglect the safety, or to restrict the access to the application.

In case of a mobile application, security threat is even higher, considering the risk of the device loss.

References

  1. Use of hard-coded password
  2. CWE-259: Use of Hard-coded Password
  3. OWASP Top 10 2013-A5-Security Misconfiguration
  4. OWASP Top 10 2013-A6-Sensitive Data Exposure
  5. How to securely hash passwords? - security.stackexchange.com
  6. OWASP Mobile Top 10 2016-M4-Insecure Authentication
  7. CWE-798: Use of Hard-coded Credentials
MEDIUM

DerScanner Severity Score

Do you want to fix Ruby : Hardcoded sensitive data in your application?

See also

Ruby

Ruby : Weak hashing algorithm

Ruby

Ruby : Empty encryption key

Ruby

Ruby : Undocumented feature: special account