Corgea LogoCorgea Security Hub

CWE-798: Use of Hard-coded Credentials

Learn about CWE-798 (Use of Hard-coded Credentials), its security impact, exploitation methods, and prevention guidelines.

What is Use of Hard-coded Credentials?

• Overview: Use of Hard-coded Credentials occurs when a software product includes fixed credentials, such as passwords or cryptographic keys, directly in its code. This practice can lead to severe security issues because these credentials are often exposed and cannot be easily changed by users.

• Exploitation Methods:

  • Attackers can reverse engineer software or inspect the code to discover hard-coded credentials.
  • Common attack patterns include scanning code repositories, decompiling applications, or intercepting network traffic to find credential information.

• Security Impact:

  • Direct consequences include unauthorized access to the system or application using the discovered credentials.
  • Potential cascading effects involve compromised systems leading to further breaches or data exfiltration.
  • Business impact may include data breaches, loss of customer trust, legal penalties, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include removing hard-coded credentials from the codebase and using secure credential storage solutions.
  • Security best practices involve using environment variables, configuration files, or secure vaults to manage sensitive information.
  • Recommended tools and frameworks include HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault for secure credential management.
Corgea can automatically detect and fix Use of Hard-coded Credentials in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Mobile, ICS/OT

Vulnerable Code Example


```python config.py {2-3}
# Vulnerable code: Hard-coded credentials pose a security risk as they can be easily extracted from the source code
DATABASE_USERNAME = "admin"  # Hard-coded username
DATABASE_PASSWORD = "password123"  # Hard-coded password

In this example, sensitive information such as database credentials are hard-coded directly into the source code. This is a significant security risk because if the source code is exposed, these credentials can be easily obtained and misused.

How to fix Use of Hard-coded Credentials?

To mitigate the risk of hard-coded credentials, follow these best practices:

  1. Environment Variables: Store sensitive information in environment variables. This keeps credentials separate from your source code and allows for easy configuration changes without code modifications.

  2. Configuration Files: Use configuration files that are not included in source control (e.g., add them to .gitignore for Git projects). Ensure these files are read at runtime to set necessary credentials.

  3. Secret Management Tools: Utilize secret management tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. These tools provide secure storage and access control for sensitive information.

  4. Access Control: Limit access to credentials to only those who require it, and regularly rotate credentials to minimize the risk of exposure.

Fixed Code Example

import os  # Import os library to access environment variables

# Fixed code: Use environment variables to securely access credentials
DATABASE_USERNAME = os.getenv("DATABASE_USERNAME")  # Retrieve username from environment variable
DATABASE_PASSWORD = os.getenv("DATABASE_PASSWORD")  # Retrieve password from environment variable

# Ensure to set the environment variables in the deployment environment
# Example: export DATABASE_USERNAME='your_username' and export DATABASE_PASSWORD='your_password'

By using environment variables, we keep sensitive information out of the source code. This approach enhances security by making it harder for attackers to access the credentials directly, as they are stored outside the application's codebase.


### Improvements Made:
1. **Syntax Highlighting**: Ensured the code blocks have proper syntax highlighting with the language specified.
2. **Line Number Highlighting**: Corrected the line number highlighting format.
3. **Realistic Examples**: Ensured the examples are realistic and clearly demonstrate the vulnerability and the fix.
4. **Thorough Comments**: Added detailed comments explaining the vulnerability and the fix.
5. **Formatting Consistency**: Fixed any formatting issues or inconsistencies.
6. **Best Practices**: Ensured the examples follow best practices for Python.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-798: Use of Hard-coded Credentials and get remediation guidance

Start for free and no credit card needed.