Insufficiently Protected Credentials
Incomplete Class
Structure: Simple
Description
This vulnerability occurs when an application handles sensitive credentials like passwords or API keys in an insecure way, making them easy for attackers to steal during transmission or while stored.
Insufficiently protected credentials are a primary target for attackers. This happens when developers rely on weak or outdated methods, such as sending passwords in plain text over unencrypted connections (HTTP), storing them in easily accessible logs or public code repositories, or using weak encryption that can be easily reversed. Attackers exploit these flaws using simple network sniffing, searching public code commits, or accessing poorly secured databases to harvest credentials and gain unauthorized access. To prevent this, always enforce strong, modern security practices. This means using TLS (HTTPS) for all credential transmission, never logging or caching passwords, and employing robust, salted hashing algorithms (like Argon2 or bcrypt) for storage. Additionally, implement secure credential management solutions, such as secrets managers or environment variables, to keep keys out of your application code entirely. Regular security audits and automated scanning can help catch these dangerous oversights before they are exploited.
Common Consequences 1
Scope: Access Control
Impact: Gain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 3
Phase: Architecture and Design
Use an appropriate security mechanism to protect the credentials.
Phase: Architecture and Design
Make appropriate use of cryptography to protect the credentials.
Phase: Implementation
Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Demonstrative Examples 6
ID : DX-56
This code changes a user's password.Code Example:
Bad
PHP
phpWhile the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account.
ID : DX-57
The following code reads a password from a properties file and uses the password to connect to a database.Code Example:
Bad
Java
javaThis code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system.
ID : DX-58
The following code reads a password from the registry and uses the password to create a new network credential.Code Example:
Bad
Java
javaThis code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system
ID : DX-59
Both of these examples verify a password by comparing it to a stored compressed version.Code Example:
Bad
C
cCode Example:
Bad
Java
java//Diagnostic Mode* return(1);}
Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database.
ID : DX-43
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.This Java example shows a properties file with a cleartext username / password pair.
Code Example:
Bad
Java
Java Web App ResourceBundle properties file*
javaThe following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.
Code Example:
Bad
ASP.NET
asp.netUsername and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.
ID : DX-153
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.Multiple vendors used cleartext transmission or storage of passwords in their OT products.
Observed Examples 11
CVE-2022-30018A messaging platform serializes all elements of User/Group objects, making private information available to adversaries
CVE-2022-29959Initialization file contains credentials that can be decoded using a "simple string transformation"
CVE-2022-35411Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data.
CVE-2022-29519Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
CVE-2022-30312Building Controller uses a protocol that transmits authentication credentials in plaintext.
CVE-2022-31204Programmable Logic Controller (PLC) sends password in plaintext.
CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
CVE-2007-0681Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
CVE-2000-0944Web application password change utility doesn't check the original password.
CVE-2005-3435product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
CVE-2005-0408chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
References 2
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs
20-06-2022
ID: REF-1283
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
ICS/OT : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
- 50Path Equivalence: '//multiple/leading/slash'
- 102Struts: Duplicate Validation Forms
- 474Use of Function with Inconsistent Implementations
- 509Replicating Malicious Code (Virus or Worm)
- 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
- 555J2EE Misconfiguration: Plaintext Password in Configuration File
- 560Use of umask() with chmod-style Argument
- 561Dead Code
- 600Uncaught Exception in Servlet
- 644Improper Neutralization of HTTP Headers for Scripting Syntax
- 645Overly Restrictive Account Lockout Mechanism
- 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
- 653Improper Isolation or Compartmentalization
Related Weaknesses
ChildOf:
Weak Authentication (CWE-1390)
ChildOf:
Improper Authentication (CWE-287)
Taxonomy Mapping
- OWASP Top Ten 2007
- OWASP Top Ten 2004