#SecurityExplained S-89: CWE Top 25: CWE-522: Insufficiently Protected Credentials
The product transfers or saves authentication credentials, but it does so improperly that it can be intercepted or retrieved by unauthorized individuals.
1/n
The product transfers or saves authentication credentials, but it does so improperly that it can be intercepted or retrieved by unauthorized individuals.
1/n
2/n
This flaw relates to an architectural security approach that has been misdesigned. Another form of credential attack uses flaws in how passwords are encoded, saved, and handled by a web application, network, or software system.
This flaw relates to an architectural security approach that has been misdesigned. Another form of credential attack uses flaws in how passwords are encoded, saved, and handled by a web application, network, or software system.
3/n
Risky development practices, such as storing passwords in insecure locations, storing credentials in plaintext, storing user passwords using poor or reproducible cryptographic techniques, or using hard-coded credentials, generate vulnerabilities....
Risky development practices, such as storing passwords in insecure locations, storing credentials in plaintext, storing user passwords using poor or reproducible cryptographic techniques, or using hard-coded credentials, generate vulnerabilities....
4/n
...that can be exploited to recover clients' credentials which can then be used to attack applications and other apps the user logs into.
# Example
The code below reads a password from a properties file and connects to a database using that password.
Example Language: Java
...that can be exploited to recover clients' credentials which can then be used to attack applications and other apps the user logs into.
# Example
The code below reads a password from a properties file and connects to a database using that password.
Example Language: Java
5/n
This code will run, but anyone with access to config(.)properties will be able to read the password value. If a malicious employee has access to this data, they can use it to hack the system.
This code will run, but anyone with access to config(.)properties will be able to read the password value. If a malicious employee has access to this data, they can use it to hack the system.
6/n
# Potential Impact:
An attacker could access user accounts and sensitive data stored within them.
# Mitigation:
To secure the credentials, use an appropriate security mechanism.
# Potential Impact:
An attacker could access user accounts and sensitive data stored within them.
# Mitigation:
To secure the credentials, use an appropriate security mechanism.
7/n
Creating a firm password policy in your organization, such as prohibiting the use of passwords found in recent data breaches or well-known weak passwords, or encouraging the use of long, randomly generated passwords in conjunction with password managers, to improve security.
Creating a firm password policy in your organization, such as prohibiting the use of passwords found in recent data breaches or well-known weak passwords, or encouraging the use of long, randomly generated passwords in conjunction with password managers, to improve security.
n/n
• To protect the credentials, make proper use of cryptography.
• To secure credentials, follow industry best practices (e.g. LDAP, Keystore, etc.)
• To protect the credentials, make proper use of cryptography.
• To secure credentials, follow industry best practices (e.g. LDAP, Keystore, etc.)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
