CWE-522: Insufficiently Protected Credentials
Learn about CWE-522 (Insufficiently Protected Credentials), its security impact, exploitation methods, and prevention guidelines.
What is Insufficiently Protected Credentials?
• Overview: Insufficiently Protected Credentials occurs when a system transmits or stores authentication credentials using insecure methods, making them susceptible to interception or unauthorized access.
• Exploitation Methods:
- Attackers can exploit this vulnerability by intercepting data during transmission (e.g., using packet sniffers).
- Common attack patterns include man-in-the-middle attacks and eavesdropping on unencrypted network traffic.
• Security Impact:
- Direct consequences include unauthorized access to user accounts and sensitive data.
- Potential cascading effects involve further data breaches and exploitation of other system vulnerabilities.
- Business impact can include financial loss, reputational damage, and legal consequences due to non-compliance with data protection regulations.
• Prevention Guidelines:
- Use strong encryption protocols (e.g., TLS/SSL) to protect credentials during transmission.
- Store passwords using secure hashing algorithms (e.g., bcrypt, Argon2) rather than plain text or reversible encryption.
- Implement security best practices such as multi-factor authentication and regular security audits.
- Recommended tools and frameworks include libraries and services that handle secure credential storage and transmission, like OpenSSL and OAuth.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: ICS/OT
Vulnerable Code Example
const fs = require('fs');
function saveCredentials(username, password) {
// Vulnerability: Storing credentials in plaintext in a JSON file
// This is insecure and can lead to credential theft
const credentials = JSON.stringify({ username: username, password: password });
fs.writeFileSync('credentials.json', credentials); // Insecure storage
}
How to fix Insufficiently Protected Credentials?
To address the vulnerability:
-
Hash Passwords: Use a strong hash function such as bcrypt to hash passwords before saving. Hashing ensures that the actual password is not stored and is not easily recoverable.
-
Secure File Storage: Consider using a more secure storage solution like a database that supports encryption, rather than flat files.
-
Use Environment Variables: For sensitive information, utilize environment variables or secure vaults instead of hardcoding in the source code.
-
Access Permissions: Limit access to the storage files or databases to only those who need it.
Fixed Code Example
const fs = require('fs');
const bcrypt = require('bcrypt');
function saveCredentials(username, password) {
// Fix: Hash the password before saving using bcrypt
const saltRounds = 10;
const hashedPassword = bcrypt.hashSync(password, saltRounds); // Salts and hashes the password
const credentials = JSON.stringify({ username: username, password: hashedPassword });
// Ideally use a secure database or encrypted storage
fs.writeFileSync('credentials_secure.json', credentials); // Still not ideal, but improved
// Additional security: Set proper file permissions
fs.chmodSync('credentials_secure.json', 0o600); // Restrict file access
}
Explanation
- Hash Passwords: The password is hashed using
bcrypt.hashSyncwith a salt, making it secure against rainbow table attacks. - Secure File Storage: Although the example still uses a file, it is recommended to use a secure database with encryption for storing credentials.
- File Permissions: File permissions are set to restrict access, ensuring that only the owner can read or write the file.
- Environment Variables: While not demonstrated in the example, sensitive information such as database credentials should be stored in environment variables or secure vaults.