HCC

Use of hard-coded credentials (password and username)

If software contains hard-coded credentials for authentication, the software is highly vulnerable to attacks because a malicious user has the opportunity to extract this information from the executable file.

The HCC checker detects the use of hard-coded credentials--passwords and usernames--as parameters for authentication functions. The HCC checker also detects cases where software compares user credentials with internal hard-coded values in back-end applications. Hard-coded credentials may not only be coded as credentials used to authenticate a function; they may also be used as a hard-coded check. If a username or a password of an authentication function is compared to a hard-coded string, this is also a vulnerability. By default, this checker considers the functions from popular software libraries, but can also be configured to detect custom authentication functions.

Vulnerability and risk

The use of hard-coded credentials makes it possible for an attacker to extract the credentials from the executable file and bypass the authentication. Hard-coded credentials create a significant risk that may be difficult to detect and to fix.

Mitigation and prevention

For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, implement a "first login" mode that requires the user to enter a unique strong password or key.

Vulnerable code example 1

In this example, Klocwork reports a defect at line 45, stating that the function connect_to_db is invoked by using hard-coded credentials.

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
   #include <mysql.h>
   
   typedef struct
   {
        char  *username;
        char  *password;
        char  *host;
   }
   login_t;
  
  void  work_with_db(MYSQL *);
  
  MYSQL *connect_to_db(login_t *login)
  {
      MYSQL *mysql = NULL;

      mysql = mysql_init(mysql);

      if  (!mysql) 
      {
           return  mysql;
      }

      if  (!mysql_real_connect(mysql,
                          login->host,
                          login->username,
                          login->password,
                          NULL,
                          0,
                          NULL,
                          CLIENT_FOUND_ROWS))
      { 
            return  NULL;
      }
      else
      {  
            return  mysql;
      }
  } 

  int  main( int  argc,  char  *argv[])
  {
        login_t login = {  "username" ,  "password" ,  "localhost"  };

        MYSQL *mysql = connect_to_db(&login);
      
        if  (!mysql) 
        { 
              return  -1;
        }

        work_with_db(mysql);
        mysql_close(mysql);

        return  0;
  }

Fixed code example 1

In this corrected example, Klocwork no longer reports that the function connect_to_db is invoked by using hard-coded credentials.

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
   #include <mysql.h>

   typedef struct 
   {
       char *username;
       char *password;
       char *host;
   } 
   login_t;
 
  login_t read_and_decrypt_auth_info();
  void work_with_db(MYSQL *);
    
  MYSQL *connect_to_db(login_t *login)
  {
      MYSQL *mysql = NULL;
 
      mysql = mysql_init(mysql);
 
      if (!mysql) 
      {
          return mysql;
      }
 
      if (!mysql_real_connect(mysql,
                              login->host,
                              login->username,
                              login->password,
                              NULL,
                              0,
                              NULL,
                              CLIENT_FOUND_ROWS))
      {
          return NULL;
      } 
      else 
      {
          return mysql;
      }
  }
 
  int main(int argc, char *argv[])
  {
      login_t login = read_and_decrypt_auth_info();   
 
      MYSQL *mysql = connect_to_db(&login);
   
      if (!mysql) 
      {
          return -1;
      }

      work_with_db(mysql);
      mysql_close(mysql);
 
      return 0;
  }

Vulnerable code example 2

In this example, Klocwork will report a defect at line 5, stating that user credentials are compared with hard-coded values.

Copy

1
2
3
4
5
6
7
8
   #include <string>
 
   bool connectToServer(const std::string &userAndPassword)
   {
     if (userAndPassword == "alice:s3cr3t")
       return true;
     return false;
   }

Fixed code example 2

In this correct example, Klocwork no longer reports a defect.

Copy

1
2
3
4
5
6
7
8
9
10
11
   #include <string>
    
   namespace database 
   {
     bool checkServerCredentials(const std::string &userAndPassword);
   }
 
   bool connectToServer(const std::string &userAndPassword)
   {
    return database::checkServerCredentials(userAndPassword);
  }

Related checkers

External guidance

Security training

Application security training materials provided by Secure Code Warrior.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.