logo

ASP.NET Misconfiguration: Password in Configuration File

Draft Variant
Structure: Simple
Description

This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration files like web.config. This exposes those credentials to anyone with file system access, effectively bypassing security controls and granting unauthorized access to protected resources.

Extended Description

Configuration files such as web.config are often deployed alongside application code and may be readable by various system accounts or, in worst-case scenarios, accessible via web server misconfigurations. Storing secrets like database passwords, API keys, or service account credentials in these files creates a single point of failure. Attackers who can read the file—whether through directory traversal, compromised backups, or insider access—immediately gain the privileges associated with those credentials. To prevent this, never store sensitive values in plaintext within configuration files. Instead, use secure alternatives like the ASP.NET built-in mechanisms for protecting configuration sections (e.g., `aspnet_regiis`), the Protected Configuration feature with RSA or DPAPI, or dedicated secret management services such as Azure Key Vault or HashiCorp Vault. For connection strings, consider using Integrated Windows Authentication where possible to eliminate password storage entirely.
Common Consequences 1
Scope: Access Control

Impact: Gain Privileges or Assume Identity
Potential Mitigations 1
Phase: Implementation
Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.
Demonstrative Examples 1
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database, but the pair is stored in plaintext.

Code Example:

Bad
ASP.NET
asp.net
Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.
References 4
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
Microsoft Corporation
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff647398(v=pandp.10)?redirectedfrom=MSDN(2023-04-07)
ID: REF-103
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
Microsoft Corporation
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff650304(v=pandp.10)?redirectedfrom=MSDN(2023-04-07)
ID: REF-104
.NET Framework Developer's Guide - Securing Connection Strings
Microsoft Corporation
http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx
ID: REF-105
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Password in Configuration File (CWE-260)
Taxonomy Mapping
  • 7 Pernicious Kingdoms