Hardcoded Credentials

java.hardcoded_credentials

Severity

high

Resource

Information Leak

Language

Java

Description

Hardcoded credentials refer to embedding usernames, passwords, or other forms of authentication data directly within the source code. This practice poses significant security risks, as it may enable unauthorized access if the code is exposed.

Rationale

When credentials such as usernames, passwords, API tokens, or cryptographic keys are statically coded into an application, they become susceptible to being exposed through source code leaks or reverse engineering. This issue is particularly concerning in Java applications, where decompilation attacks can easily reveal sensitive information embedded within the code.

Consider the following Java code snippet that demonstrates hardcoded credentials:

public class Hardcoded {
  private static final String USER = "user"
  private static final String PASS = "secret";

  public void connect() {
    Connection conn = DriverManager.getConnection(JDBC_URL, USER, PASS);
    // ...
  }
}

In the above example, the username and password are hardcoded as constants, making them visible to anyone who has access to the source code or can decompile the Java class files. This practice should be avoided to prevent unauthorized access and data breaches.

Remediation

To remediate the issue of hardcoded credentials in your applications, follow these best practices:

Externalize Credentials: Store sensitive information such as usernames and passwords in external configuration files, environment variables, or secure vaults. This method ensures that the actual codebase does not contain sensitive data, reducing the risk of exposure.

Environment Variables: Use environment variables to manage credentials. They can be set on the server or container running the application and accessed by the application at runtime.

Secure Configuration Management: Use a secure configuration management tool like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to store and access sensitive credentials securely. These tools provide mechanisms to manage, rotate, and control access to credentials.

Logical Separation: Implement logical separation of sensitive code and use principles like the 12-factor app to effectively manage configuration outside the source code.

Rotate and Audit: Regularly rotate credentials and perform audits to ensure that no hardcoded sensitive information exists within the codebase.

By adopting these remediation strategies, you can significantly reduce the risk associated with hardcoded credentials and ensure that your applications maintain a strong security posture.

References

CWE-798 : Use of Hard-coded Credentials.
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.
MSC03-J: Never Hardcode Sensitive Information, in SEI CERT Coding Standard for Java.