You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "blowfish" field in ../vulnerabilities/static.js ("" line 28) looks like a hardcoded cryptographic key:
conf.blowfish = '****'
Risk
Hardcoded cryptographic keys are a dangerous practice for a few reasons.
First, having cryptographic keys in source code implicitly gives access to all encrypted
data to anyone with access to the code repository or built binaries. Given the history of source code
disclosure flaws in server software, and the possibility of compromise when using cloud-based
source code repositories, assuming attacker access to your source code is a prudent philosophy.
Second, hardcoded cryptographic keys make responding to security events more difficult. If a
cryptographic key needs to be rotated, a new build must be elevated to compensate. If the value is
pulled from a configuration file instead, the operations team can respond nearly instantaneously.
Trace UUID: CS31-ZPS0-W4SY-Z19V
https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/f7ea7169-d4eb-42c4-b32e-5c0ea0ca9733/vulns/CS31-ZPS0-W4SY-Z19V/overview
Description
The "blowfish" field in ../vulnerabilities/static.js ("" line 28) looks like a hardcoded cryptographic key:
Risk
Hardcoded cryptographic keys are a dangerous practice for a few reasons.
First, having cryptographic keys in source code implicitly gives access to all encrypted
data to anyone with access to the code repository or built binaries. Given the history of source code
disclosure flaws in server software, and the possibility of compromise when using cloud-based
source code repositories, assuming attacker access to your source code is a prudent philosophy.
Second, hardcoded cryptographic keys make responding to security events more difficult. If a
cryptographic key needs to be rotated, a new build must be elevated to compensate. If the value is
pulled from a configuration file instead, the operations team can respond nearly instantaneously.
Recommendation to fix this finding
The key detected should be taken out of source code and made available via configuration
management. An encrypted properties file like the one provided by https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java?r=1121$$LINK_DELIM$$ESAPI
would allow the code to be taken out of the source code and be provided environment-specific values.
Alternatively, the value could be taken from System properties.
The text was updated successfully, but these errors were encountered: