CS.HCC.USER

Use of hard-coded credentials (username)

If software contains hard-coded credentials for authentication, the software is highly vulnerable to attacks because a malicious user has the opportunity to extract this information from the executable file.

The CS.HCC.USER checker detects the use of hard-coded usernames as parameters for authentication functions. The CS.HCC.USER checker also detects cases where software compares user credentials with internal hard-coded values in back-end applications. Hard-coded credentials may not only be coded as credentials used to authenticate a function; they may also be used as a hard-coded check. If a username or a password of an authentication function is compared to a hard-coded string, this is also a vulnerability. By default, this checker considers the functions from popular software libraries, but can also be configured to detect custom authentication functions.

Vulnerability and risk

The use of hard-coded credentials makes it possible for an attacker to extract the credentials from the executable file and bypass the authentication. Hard-coded credentials create a significant risk that may be difficult to detect and to fix.

Mitigation and prevention

For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, implement a "first login" mode that requires the user to enter a unique strong password or key.

Vulnerable code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
   namespace HCC_USER
   {
       class Program
       {
           int VerifyAdminUser(String UserName)
           {
               if (UserName.Equals("user@name"))
               {
                   Console.WriteLine("Entering Diagnostic Mode...");
                  return (1);
              }
              Console.WriteLine("Incorrect userName");
              return (0);
          }
      }
  }

In this example, Klocwork reports a defect at line 7, stating that the Use of a hardcoded user name through the call to function 'UserName.Equals'.

Fixed code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
   namespace Data
   {
       public class Database
       {
           public static int VerifyUser(string user)
           {
               //verify user at database
               return 1;
           }
      }
  }
  
  namespace HCC_USER
  {
      class Program
      {
          int VerifyAdminUser(String UserName)
          {
             return Data.Database.VerifyUser(UserName);
          }
      }
  }

In this fixed example, Klocwork no longer reports a defect.

Related checkers

• CS.HCC
• CS.HCC.PWD

External guidance

• OWASP A3:2017 Sensitive Data Exposure
• OWASP A2:2021 Cryptographic Failures
• CWE-798: Use of Hard-coded Credentials

Security training

Application security training materials provided by Secure Code Warrior.

• Sensitive Data Exposure Training Video - Test your skills with a training example