CWE-540 Base Incomplete

Inclusion of Sensitive Information in Source Code

This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that remains accessible on a web server or in a public repository.

Definition

What is CWE-540?

This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that remains accessible on a web server or in a public repository.

Leaving source code containing sensitive data on a live server creates a major security risk. Attackers can directly access these files to harvest credentials, encryption keys, or understand application logic, bypassing the intended security controls of the compiled or executed application. For example, if an attacker retrieves a Perl, Python, or PHP script's source, they can analyze it for bugs, hardcoded database logins, or business logic flaws. This information dramatically simplifies launching further attacks, as it provides a blueprint of the application's weaknesses and secret mechanisms.

Auswirkungen in der Praxis

Real-world CVEs caused by CWE-540

CVE-2022-25512

Server for Team Awareness Kit (TAK) application includes sensitive tokens in the JavaScript source code.
CVE-2022-24867

The LDAP password might be visible in the html code of a rendered page in an IT Asset Management tool.
CVE-2007-6197

Version numbers and internal hostnames leaked in HTML comments.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

1
The following code uses an include file to store database credentials:
2
database.inc
3
login.php
4
If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.
5
The following comment, embedded in a JSP, will be displayed in the resulting HTML output.

Verwundbares Codebeispiel

Vulnerable PHP

database.inc

Verwundbar PHP

<?php
  $dbName = 'usersDB';
  $dbPassword = 'skjdh#67nkjd3$3$';
  ?>

Sicheres Codebeispiel

Secure pseudo

Sicher pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Präventions-Checkliste

How to prevent CWE-540

Architecture and Design / System Configuration Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.

Erkennungssignale

How to detect CWE-540

SAST High

Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.

DAST Moderate

Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.

Runtime Moderate

Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.

Code review Moderate

Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.

Plexicus Auto-Fix

Plexicus erkennt CWE-540 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen

Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-540?

This vulnerability occurs when sensitive information like passwords, API keys, or internal logic is exposed within source code that remains accessible on a web server or in a public repository.

Wie gravierend ist CWE-540?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-540 betroffen?

MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.

Wie kann ich CWE-540 verhindern?

Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.

Wie erkennt und behebt Plexicus CWE-540?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-540 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-540?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/540.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-540

CWE-538 Parent

Insertion of Sensitive Information into Externally-Accessible File or Directory

This vulnerability occurs when an application unintentionally stores confidential data—like passwords, API keys, or personal user…

CWE-532 Sibling

Insertion of Sensitive Information into Log File

This vulnerability occurs when an application unintentionally writes confidential data, such as passwords or API keys, into its log files.

CWE-651 Sibling

Exposure of WSDL File Containing Sensitive Information

This vulnerability occurs when a Web Service Definition Language (WSDL) file, which acts as a public blueprint for a web service, is…

CWE-531 Child

Inclusion of Sensitive Information in Test Code

This vulnerability occurs when sensitive data, such as credentials, API keys, or internal logic, is embedded within test code or debugging…

CWE-541 Child

Inclusion of Sensitive Information in an Include File

This vulnerability occurs when sensitive data like passwords or system details is placed inside a publicly accessible include file.…

CWE-615 Child