Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.
CWE-258 Variante Incompleto
Empty Password in Configuration File
This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account.
Definição
What is CWE-258?
This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account.
Using a blank password is a critical security misconfiguration that leaves systems wide open to attack. It bypasses the fundamental purpose of authentication, allowing anyone with network or local access to log in without needing to guess or crack a password. This is often the result of oversight during deployment, automated scripting errors, or reliance on default configurations that are never properly secured.
To prevent this, developers and system administrators must enforce policies that reject empty passwords during configuration and setup. Automated security scanning tools should flag empty credential fields, and all deployment processes must include a verification step to ensure strong, unique passwords are set for all accounts and services before they go into production.
Impacto no mundo real
Real-world CVEs caused by CWE-258
-
Network access control (NAC) product has a configuration file with an empty password
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string.
- 2
This Java example shows a properties file with an empty password string.
- 3
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database and the password is provided as an empty string.
- 4
An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13.
Exemplo de código vulnerável
Vulnerable Java
This Java example shows a properties file with an empty password string.
```
# Java Web App ResourceBundle properties file*
...
webapp.ldap.username=secretUsername
webapp.ldap.password=
... Exemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-258
- System Configuration Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.
Sinais de deteção
How to detect CWE-258
Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.
Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.
Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.
O Plexicus deteta automaticamente o CWE-258 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-258?
Qual a gravidade do CWE-258?
Que linguagens ou plataformas são afetadas pelo CWE-258?
Como posso prevenir o CWE-258?
Como é que o Plexicus deteta e corrige o CWE-258?
Onde posso saber mais sobre o CWE-258?
Frequently asked questions
O que é o CWE-258?
This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account.
Qual a gravidade do CWE-258?
A MITRE classifica a probabilidade de exploração como Alta — esta fraqueza é ativamente explorada em campo e deve ser priorizada para remediação.
Que linguagens ou plataformas são afetadas pelo CWE-258?
A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.
Como posso prevenir o CWE-258?
Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat…
Como é que o Plexicus deteta e corrige o CWE-258?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-258 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-258?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/258.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-258
CWE-260 Pai
Password in Configuration File
This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable…
CWE-13 Irmão
ASP.NET Misconfiguration: Password in Configuration File
This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration…
CWE-555 Irmão
J2EE Misconfiguration: Plaintext Password in Configuration File
A J2EE application insecurely stores an unprotected password within a configuration file.
Recursos
Further reading
- MITRE — CWE-258 oficial https://cwe.mitre.org/data/definitions/258.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.