CS.HCC
Use of hard-coded credentials (password and username)
If software contains hard-coded credentials for authentication, the software is highly vulnerable to attacks because a malicious user has the opportunity to extract this information from the executable file.
The HCC checker detects the use of hard-coded credentials--passwords and usernames--as parameters for authentication functions. The HCC checker also detects cases where software compares user credentials with internal hard-coded values in back-end applications. Hard-coded credentials may not only be coded as credentials used to authenticate a function; they may also be used as a hard-coded check. If a username or a password of an authentication function is compared to a hard-coded string, this is also a vulnerability. By default, this checker considers the functions from popular software libraries, but can also be configured to detect custom authentication functions.
Vulnerability and risk
The use of hard-coded credentials makes it possible for an attacker to extract the credentials from the executable file and bypass the authentication. Hard-coded credentials create a significant risk that may be difficult to detect and to fix.
Mitigation and prevention
For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, implement a "first login" mode that requires the user to enter a unique strong password or key.
Vulnerable code example 1
namespace HCC
{
class Program
{
int VerifyAdminUserPassword(String userPassword)
{
if (userPassword.Equals("username:pwd@123"))
{
Console.WriteLine("Entering Diagnostic Mode...");
return (1);
}
Console.WriteLine("Incorrect user or password");
return (0);
}
}
}In this example, Klocwork reports a defect at line 7, indicating, "Use of a hardcoded credentials through the call to function 'System.String.Equals'."
Fixed code example 1
namespace Data
{
public class Database
{
public static int VerifyUserPwd(string userPassword)
{
//verify user and pwd at database
return 1;
}
}
}
namespace HCC
{
class Program
{
int VerifyAdminUser(String userPassword)
{
return Data.Database.VerifyUserPwd(userPassword);
}
}
}In this fixed example, Klocwork no longer reports a defect.
Vulnerable code example 2
namespace HCC
{
class Program
{
public static bool mySqlConnection()
{
string cs = "server=localhost;user=root;database=sakila;port=3306;password=your_password";
using (MySqlConnection conn = new MySqlConnection(cs))
{
//Do operation
}
return true;
}
}
}In this example, Klocwork reports a defect at line 8, indicating, "Use of hardcoded credentials through the call to function 'MySql.Data.MySqlClient.MySqlConnection.#constructor"
Fixed code example 2
namespace HCC
{
class Program
{
private static string getString()
{
//Implementation
throw new NotImplementedException();
}
public static bool mySqlConnection( )
{
string cs = getString();
using (MySqlConnection conn = new MySqlConnection(cs))
{
//perform operation
}
return true;
}
}
}In this corrected example, Klocwork no longer reports a defect.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
