SV.PASSWD.PLAIN.HC

Insufficiently Protected Credentials

This issue occurs when a product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Vulnerability and risk

An attacker could gain access to user accounts and access sensitive data used by the user accounts.

Vulnerable code example

1   Properties prop = new Properties();
2   prop.load(new FileInputStream("config.properties"));
3   String password = prop.getProperty("password"); //Defect
4   DriverManager.getConnection(url, usr, password);

Klocwork reports an SV.PASSWD.PLAIN.HC defect on line 3 as the above code reads a password from a properties file and uses the password to connect to a database. This code will run successfully, but anyone who has access to the config.properties file can read the value of the password. If, for example, an employee has access to this information, they can use it to break into the system.

Fixed code example

1    /*
2     * First, create (or ask some other component for) the adequate encryptor for
3     * decrypting the values in the .properties file.
4     */
5    StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
6    encryptor.setPassword("jasypt"); // could be obtained from the web, env variable, etc
7    encryptor.setAlgorithm("PBEWithHMACSHA512AndAES_256");
8    encryptor.setIvGenerator(new RandomIvGenerator());
9     
10   /*
11    * Create an EncryptableProperties object and load it the usual way.
12    */
13   Properties props = new EncryptableProperties(encryptor);
14   props.load(new FileInputStream("/path/to/my/configuration.properties"));
15   
16   /*
17    * To get an encrypted value, do exactly the same. Decryption will
18    * be transparently performed behind the scenes.
19    */
20   String datasourcePassword = props.getProperty("datasource.password");

Klocwork no longer reports a defect when retrieving the password from the properties file because an encryption technique (Jasypt encryption) is used on the properties file.

Security training

Application security training materials provided by Secure Code Warrior.