Hardcoded Credentials
ID |
python.hardcoded_credentials |
Severity |
high |
Resource |
Information Leak |
Language |
Python |
Tags |
CWE:798, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.3 |
Description
Hardcoded credentials refer to embedding usernames, passwords, or other forms of authentication data directly within the source code. This practice poses significant security risks, as it may enable unauthorized access if the code is exposed.
Rationale
When credentials such as usernames, passwords, API tokens, or cryptographic keys are statically coded into an application, they become susceptible to being exposed through source code leaks or reverse engineering. This issue is particularly concerning in Java applications, where decompilation attacks can easily reveal sensitive information embedded within the code.
Here is an example of vulnerable code with hardcoded credentials:
import ftplib
user = 'Elon'
password = 'the.super.secret'
ftp = ftplib.FTP (netloc, user, passwd=password) # FLAW
ftp.login (user, passwd=password) # FLAWIn this example, the credentials are embedded directly within the Python script. If the source code is leaked or accessed, these credentials provide attackers with direct access to the FTP host.
Remediation
To remediate the issue of hardcoded credentials in your applications, follow these best practices:
Externalize Credentials: Store sensitive information such as usernames and passwords in external configuration files, environment variables, or secure vaults. This method ensures that the actual codebase does not contain sensitive data, reducing the risk of exposure.
Environment Variables: Use environment variables to manage credentials. They can be set on the server or container running the application and accessed by the application at runtime.
Secure Configuration Management: Use a secure configuration management tool like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to store and access sensitive credentials securely. These tools provide mechanisms to manage, rotate, and control access to credentials.
Logical Separation: Implement logical separation of sensitive code and use principles like the 12-factor app to effectively manage configuration outside the source code.
Rotate and Audit: Regularly rotate credentials and perform audits to ensure that no hardcoded sensitive information exists within the codebase.
By adopting these remediation strategies, you can significantly reduce the risk associated with hardcoded credentials and ensure that your applications maintain a strong security posture.
References
-
CWE-798 : Use of Hard-coded Credentials.
-
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.