CWE-256: Plaintext Storage of a Password

CWE-256: Plaintext Storage of a Password | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code reads a password from a properties file and uses the password to connect to a database.

This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system.

The following code reads a password from the registry and uses the password to create a new network credential.

This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

Vulnerable example

java

# Java Web App ResourceBundle properties file

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

At least one OT product stored a password in plaintext.

CWE-256: Plaintext Storage of a Password

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-256?

What CVEs are caused by CWE-256?

How do you prevent CWE-256?

How is CWE-256 detected?

What are the consequences of CWE-256?

Is CWE-256 actively exploited?

References

Stay ahead of CWE-256

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-256?

What CVEs are caused by CWE-256?

How do you prevent CWE-256?

How is CWE-256 detected?

What are the consequences of CWE-256?

Is CWE-256 actively exploited?

References

Stay ahead of CWE-256