You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "password" field in ../vulnerabilities/static.js ("" line 14) looks like a hardcoded password:
password: '****'
Risk
Hardcoded passwords are a dangerous practice for a few reasons.
First, having passwords in source code implicitly gives backend system access
to anyone with access to the code repository or built binaries. Given the history of source code
disclosure flaws in server software, and the possibility of compromise when using cloud-based
source code repositories, assuming attacker access to your source code is a prudent philosophy.
Second, hardcoded passwords make responding to security events more difficult. If a
backend password needs to be rotated, a new build must be elevated to compensate. If the value is
pulled from a configuration file instead, the operations team can respond nearly instantaneously.
Trace UUID: 4FOL-ESDL-ER7D-EXGJ
https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/f7ea7169-d4eb-42c4-b32e-5c0ea0ca9733/vulns/4FOL-ESDL-ER7D-EXGJ/overview
Description
The "password" field in ../vulnerabilities/static.js ("" line 14) looks like a hardcoded password:
Risk
Hardcoded passwords are a dangerous practice for a few reasons.
First, having passwords in source code implicitly gives backend system access
to anyone with access to the code repository or built binaries. Given the history of source code
disclosure flaws in server software, and the possibility of compromise when using cloud-based
source code repositories, assuming attacker access to your source code is a prudent philosophy.
Second, hardcoded passwords make responding to security events more difficult. If a
backend password needs to be rotated, a new build must be elevated to compensate. If the value is
pulled from a configuration file instead, the operations team can respond nearly instantaneously.
Recommendation to fix this finding
The password detected should be taken out of source code and made available via configuration
management. An encrypted properties file like the one provided by https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/crypto/DefaultEncryptedProperties.java?r=1121$$LINK_DELIM$$ESAPI
would allow the code to be taken out of the source code and be provided environment-specific values.
Alternatively, the value could be taken from System properties.
The text was updated successfully, but these errors were encountered: