Inclusion of Sensitive Information in Source Code

Description

This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that remains accessible on a web server or in a public repository.

Extended Description

Leaving source code containing sensitive data on a live server creates a major security risk. Attackers can directly access these files to harvest credentials, encryption keys, or understand application logic, bypassing the intended security controls of the compiled or executed application. For example, if an attacker retrieves a Perl, Python, or PHP script's source, they can analyze it for bugs, hardcoded database logins, or business logic flaws. This information dramatically simplifies launching further attacks, as it provides a blueprint of the application's weaknesses and secret mechanisms.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Potential Mitigations 1

Phase: Architecture and DesignSystem Configuration

Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.

Demonstrative Examples 2

ID : DX-104

The following code uses an include file to store database credentials:

database.inc

Code Example:Bad
PHP
php

Code Example:Bad
PHP
php

If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.

The following comment, embedded in a JSP, will be displayed in the resulting HTML output.

Code Example:Bad
JSP
jsp

Observed Examples 3

CVE-2022-25512Server for Team Awareness Kit (TAK) application includes sensitive tokens in the JavaScript source code.

CVE-2022-24867The LDAP password might be visible in the html code of a rendered page in an IT Asset Management tool.

CVE-2007-6197Version numbers and internal hostnames leaked in HTML comments.