Corgea LogoCorgea Security Hub

CWE-259: Use of Hard-coded Password

Learn about CWE-259 (Use of Hard-coded Password), its security impact, exploitation methods, and prevention guidelines.

What is Use of Hard-coded Password?

• Overview: Use of Hard-coded Password (CWE-259) occurs when a software product contains a password that is embedded directly into its source code, making it a fixed, unchangeable part of the software. This can be used for authentication into the software or for communication with other systems.

• Exploitation Methods:

  • Attackers can gain unauthorized access by discovering and using the hard-coded password.
  • Common attack patterns include reverse engineering the software to extract passwords or searching the codebase for hard-coded credentials.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive data or systems.
  • Potential cascading effects might involve lateral movement within a network, leading to further breaches.
  • Business impact includes reputational damage, financial loss, and potential legal issues due to data breaches.

• Prevention Guidelines:

  • Specific code-level fixes involve using configuration files or secure vaults to store passwords instead of hard-coding them.
  • Security best practices include implementing a secure password management strategy and ensuring passwords can be easily updated.
  • Recommended tools and frameworks include using environment variables, secret management tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to manage sensitive information securely.
Corgea can automatically detect and fix Use of Hard-coded Password in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: ICS/OT

Vulnerable Code Example

module.exports = {
  db: {
    host: 'localhost',
    user: 'admin',
    password: 'hardcoded_password' // Hard-coded password is a security risk!
  }
};

Explanation:

  • Hard-coded Password: Storing passwords directly in the source code makes them visible to anyone with access to the codebase, increasing the risk of unauthorized access if the code is leaked or shared.

How to fix Use of Hard-coded Password?

Best Practices:

  1. Environment Variables: Use environment variables to keep sensitive information out of the codebase.
  2. Secure Configuration Management: Utilize tools that offer secure storage for configuration data.
  3. Access Control & Monitoring: Implement strict access controls and monitoring to track access to sensitive information.

Fixed Code Example

require('dotenv').config(); // Load environment variables from a .env file

module.exports = {
  db: {
    host: 'localhost',
    user: 'admin',
    password: process.env.DB_PASSWORD // Retrieve the password from an environment variable
  }
};

Explanation:

  • Environment Variables: The dotenv package is used to load environment variables from a .env file. This approach ensures that sensitive information, like the database password, is not hard-coded into the application. Instead, it is dynamically loaded at runtime.
  • Security Controls: Ensure the .env file is included in the .gitignore file to prevent it from being committed to version control. Additionally, restrict access to the .env file to authorized personnel only.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-259: Use of Hard-coded Password and get remediation guidance

Start for free and no credit card needed.