SEC-STRING-hard-coded-credentials
Synopsis
The application hard codes a username or password to connect to an external component.
Enabled by default
No
Severity/Certainty
Medium/Medium
Full description
The application uses a hard-coded username or password to connect to an external resource, such as a database. An attacker might extract the password from the application binary through an exploit. Or, if the application is indended for client-side use, an attacker could extract the credentials from the binary itself. Credentials should be read into the application using a strongly-protected encrypted configuration file or database. This check supports the following C/C++ SQL libraries: * MySQL C API * MySQL Connector/C++ * libpq (PostgreSQL) * libpq++ (PostgreSQL) * libpqxx (PostgreSQL) * Microsoft ODBC * OLE DB and, also supports Windows Login functions This check is identical to CERT-MSC41-C_a.
Coding standards
- CERT MSC41-C
Never hard code sensitive information
- CWE 798
Use of Hard-coded Credentials
Code examples
The following code example fails the check and will give a warning:
void example(void *conn) {
char *b;
char *a = "top_secret_password";
mysql_real_connect(conn, "localhost", b, a, "FOO", 2000);
}
The following code example passes the check and will not give a warning about this issue:
#include <stdio.h>
void example(void *conn, FILE *f) {
char *b;
char *a;
fscanf(f, "%s;%s", a, b);
mysql_real_connect(conn, "localhost", b, a, "FOO", 2000);
}