Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.
CWE-798 Base Brouillon
Use of Hard-coded Credentials
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
Définition
What is CWE-798?
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
This flaw typically manifests in two primary scenarios. The first, often called 'inbound authentication,' involves the software checking user logins against a fixed, default set of credentials—like a universal admin account with a simple, embedded password that's identical across every installation. This password usually cannot be changed or disabled through normal administrative controls, requiring a code patch instead, and it can be extremely difficult for system owners to even detect its presence.
The second scenario, 'outbound authentication,' happens when an application (like a front-end service) needs to connect to another system (like a back-end database) and has the connection credentials permanently written into its code. Developers might hard-code these backend passwords for convenience, but this makes them easily discoverable by anyone who can access the application's code or binaries, exposing the connected system to unauthorized access.
Impact réel
Real-world CVEs caused by CWE-798
-
Condition Monitor firmware has a maintenance interface with hard-coded credentials
-
Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
-
Distributed Control System (DCS) has hard-coded passwords for local shell access
-
Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials
-
Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration
-
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments
-
Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]
-
Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
The following code uses a hard-coded password to connect to a database:
- 2
This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above:
- 3
The following code is an example of an internal hard-coded password in the back-end:
- 4
Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."
- 5
The following code examples attempt to verify a password using a hard-coded cryptographic key.
Exemple de code vulnérable
Vulnerable Java
The following code uses a hard-coded password to connect to a database:
...
DriverManager.getConnection(url, "scott", "tiger");
... Charge utile de l'attaquant
This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above:
javap -c ConnMngr.class
22: ldc #36; //String jdbc:mysql://ixne.com/rxsql
24: ldc #38; //String scott
26: ldc #17; //String tiger Exemple de code sécurisé
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-798
- Architecture and Design For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some protection.
- Architecture and Design For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
- Architecture and Design If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
- Architecture and Design For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
- Architecture and Design For front-end to back-end connections: Three solutions are possible, although none are complete. - The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. - Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access. - Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
Signaux de détection
How to detect CWE-798
Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.
This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.
For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and perform a login. Using call trees or similar artifacts from the output, examine the associated behaviors and see if any of them appear to be comparing the input to a fixed string or value.
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
Plexicus détecte automatiquement CWE-798 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-798 ?
Quelle est la gravité de CWE-798 ?
Quels langages ou plateformes sont affectés par CWE-798 ?
Comment puis-je prévenir CWE-798 ?
Comment Plexicus détecte et corrige CWE-798 ?
Où puis-je en savoir plus sur CWE-798 ?
Frequently asked questions
Qu'est-ce que CWE-798 ?
This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files.
Quelle est la gravité de CWE-798 ?
MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.
Quels langages ou plateformes sont affectés par CWE-798 ?
MITRE lists the following affected platforms: Mobile, ICS/OT.
Comment puis-je prévenir CWE-798 ?
For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some…
Comment Plexicus détecte et corrige CWE-798 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-798 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-798 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/798.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-798
CWE-1391 Parent
Use of Weak Credentials
This vulnerability occurs when a system relies on weak authentication credentials—like default passwords, hard-coded keys, or easily…
CWE-1392 Frère
Use of Default Credentials
This vulnerability occurs when a system, device, or application relies on pre-configured, publicly known credentials like passwords or…
CWE-521 Frère
Weak Password Requirements
This vulnerability occurs when an application fails to enforce strong password policies, making user accounts easier to compromise through…
CWE-257 Pair
Storing Passwords in a Recoverable Format
This vulnerability occurs when an application stores user passwords in a format that can be easily reversed or decrypted back to their…
CWE-259 Enfant
Use of Hard-coded Password
This vulnerability occurs when an application embeds a password directly into its source code or configuration files. This hard-coded…
CWE-321 Enfant
Use of Hard-coded Cryptographic Key
This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or…
Ressources
Further reading
- MITRE — CWE-798 officiel https://cwe.mitre.org/data/definitions/798.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Top 25 Series - Rank 11 - Hardcoded Credentials https://www.sans.org/blog/top-25-series-rank-11-hardcoded-credentials/
- Mobile App Top 10 List https://www.veracode.com/blog/2010/12/mobile-app-top-10-list
- Automated Source Code Security Measure (ASCSM) http://www.omg.org/spec/ASCSM/1.0/
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Ethical hacking of a Smart Automatic Feed Dispenser http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.