CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Use of Hard-coded Credentials [CWE-798]

The weakness describes a case where hardcoded access credentials are stored within application code.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References

1. Description

This vulnerability is often referred to as a “backdoor”. The weakness exists due to presence in code authentication credentials that cannot be changed, e.g. hardcoded passwords, cryptographic keys, tokens, etc.

In case of web applications, there are two main variations of hardcoded credentials usage: to access the web application (e.g. inbound access) and to access the back-end application (e.g. outbound access).

The first variation creates a huge risk of web application compromise in case the attacker is able to recover access credentials (e.g. gain access to the web application source code or perform a brute-force attack). This technique is often used my malware writers to gain persistence.

A good example of such vulnerability is CVE-2017-14143. Kaltura server before 13.2.0 contained a code that allowed access to the web application to any user with pre-set "userzone" cookie equal to "y3tAno3therS$cr3T".

Presence of hardcoded credentials for outbound access is unfortunately a common practice for a variety of web applications. For example, any modern content management system is using database to store information. Access to the database is usually protected by login/password pair, stored in some file in clear text. If the attacker is able to gain access to those credentials and the database server is not properly secured, the attacker is able to use the obtained credentials to access the application’s database and compromise the web application.

2. Potential impact

The weakness allows a remote attacker to gain unauthorized access to web application. Usually it means that your web application is compromised.

3. Attack patterns

Use of Hard-coded Credentials weakness is associated with the following CAPEC patterns:

4. Affected software

Any software that has management interface or scripting capabilities is susceptible to this issue.

5. Severity and CVSS Scoring

Hardcoded credentials pose a huge threat if they allow unauthorized access to the application. Therefore, this vulnerability should be scored as critical in most cases:
10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]

6. Mitigations

Immediate action is required if hardcoded credentials were detected in your web application that allow remote unauthorized access to the website. For applications where source code changes are hard or impossible to implement (e.g. credentials are stored within a .dll file in ASP.NET application) it is recommended to deny access to the affected URLs or scripts.

It is also possible to configure your Web Application Firewall (WAF) to deny access to website in case the hardcoded credentials are passed to the application via a request parameter. Below is an example of ModSecurity rule that will block the request if the "backdoorPassword" string is spotted in URL, arguments or any part of HTTP request:

SecRule REQUEST_URI|ARGS|REQUEST_BODY "backdoorPassword" "log,deny,msg:'Access Denied'"

7. References

  1. CWE-798: Use of Hard-coded Credentials [cwe.mitre.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk