Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.
CWE-798 Base Borrador
Use of Hard-coded Credentials
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
Definición
What is CWE-798?
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
This flaw typically manifests in two primary scenarios. The first, often called 'inbound authentication,' involves the software checking user logins against a fixed, default set of credentials—like a universal admin account with a simple, embedded password that's identical across every installation. This password usually cannot be changed or disabled through normal administrative controls, requiring a code patch instead, and it can be extremely difficult for system owners to even detect its presence.
The second scenario, 'outbound authentication,' happens when an application (like a front-end service) needs to connect to another system (like a back-end database) and has the connection credentials permanently written into its code. Developers might hard-code these backend passwords for convenience, but this makes them easily discoverable by anyone who can access the application's code or binaries, exposing the connected system to unauthorized access.
Impacto en el mundo real
Real-world CVEs caused by CWE-798
-
Condition Monitor firmware has a maintenance interface with hard-coded credentials
-
Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
-
Distributed Control System (DCS) has hard-coded passwords for local shell access
-
Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials
-
Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration
-
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments
-
Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]
-
Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
The following code uses a hard-coded password to connect to a database:
- 2
This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above:
- 3
The following code is an example of an internal hard-coded password in the back-end:
- 4
Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."
- 5
The following code examples attempt to verify a password using a hard-coded cryptographic key.
Ejemplo de código vulnerable
Vulnerable Java
The following code uses a hard-coded password to connect to a database:
...
DriverManager.getConnection(url, "scott", "tiger");
... Payload del atacante
This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above:
javap -c ConnMngr.class
22: ldc #36; //String jdbc:mysql://ixne.com/rxsql
24: ldc #38; //String scott
26: ldc #17; //String tiger Ejemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-798
- Architecture and Design For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some protection.
- Architecture and Design For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
- Architecture and Design If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
- Architecture and Design For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
- Architecture and Design For front-end to back-end connections: Three solutions are possible, although none are complete. - The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. - Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. - Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
Señales de detección
How to detect CWE-798
Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.
This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.
For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
Plexicus detecta automáticamente CWE-798 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-798?
¿Qué gravedad tiene CWE-798?
¿Qué lenguajes o plataformas se ven afectados por CWE-798?
¿Cómo puedo prevenir CWE-798?
¿Cómo detecta y corrige Plexicus CWE-798?
¿Dónde puedo aprender más sobre CWE-798?
Frequently asked questions
¿Qué es CWE-798?
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
¿Qué gravedad tiene CWE-798?
MITRE califica la probabilidad de explotación como Alta — esta debilidad se explota activamente en la práctica y debe priorizarse para su remediación.
¿Qué lenguajes o plataformas se ven afectados por CWE-798?
MITRE lists the following affected platforms: Mobile, ICS/OT.
¿Cómo puedo prevenir CWE-798?
For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some…
¿Cómo detecta y corrige Plexicus CWE-798?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-798 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-798?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/798.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-798
CWE-1391 Padre
Use of Weak Credentials
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily…
CWE-1392 Hermano
Use of Default Credentials
This vulnerability occurs when a system, device, or application relies on pre-configured, publicly known credentials like passwords or…
CWE-521 Hermano
Weak Password Requirements
This vulnerability occurs when an application fails to enforce strong password policies, making user accounts easier to compromise through…
CWE-257 Par
Storing Passwords in a Recoverable Format
This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their…
CWE-259 Hijo
Use of Hard-coded Password
This vulnerability occurs when an application embeds a password directly into its source code or configuration files. This hard-coded…
CWE-321 Hijo
Use of Hard-coded Cryptographic Key
This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or…
Recursos
Further reading
- MITRE — CWE-798 oficial https://cwe.mitre.org/data/definitions/798.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Top 25 Series - Rank 11 - Hardcoded Credentials https://www.sans.org/blog/top-25-series-rank-11-hardcoded-credentials/
- Mobile App Top 10 List https://www.veracode.com/blog/2010/12/mobile-app-top-10-list
- Automated Source Code Security Measure (ASCSM) http://www.omg.org/spec/ASCSM/1.0/
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Ethical hacking of a Smart Automatic Feed Dispenser http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.