Variant weakness

Draft

CWE-259: Use of Hard-coded Password

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

157

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

There are two main variations of a hard-coded password: Inbound: the product contains an authentication mechanism that checks for a hard-coded password. Outbound: the product connects to another system or component, and it contains a hard-coded password for connecting to that component.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code uses a hard-coded password to connect to a database:

Attack input

plaintext

javap -c ConnMngr.class

This is an example of an external hard-coded password on the client-side of a connection. This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is no going back from the database user "scott" with a password of "tiger" unless the program is patched. A devious employee with access to this information can use it to break into the system. Even worse, if attackers have access to the bytecode for application, they can use the javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for the example above:

The following code is an example of an internal hard-coded password in the back-end:

Vulnerable example

int VerifyAdmin(char *password) {

Vulnerable example

java

int VerifyAdmin(String password) {

Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

Vulnerable example

java

# Java Web App ResourceBundle properties file

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors used hard-coded credentials in their OT products.

CWE-259: Use of Hard-coded Password

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Manual Analysis

Black Box

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-259?

What CVEs are caused by CWE-259?

Is CWE-259 part of the OWASP Top 10?

How do you prevent CWE-259?

How is CWE-259 detected?

What are the consequences of CWE-259?

Is CWE-259 actively exploited?

References

Stay ahead of CWE-259

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Manual Analysis

Black Box

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-259?

What CVEs are caused by CWE-259?

Is CWE-259 part of the OWASP Top 10?

How do you prevent CWE-259?

How is CWE-259 detected?

What are the consequences of CWE-259?

Is CWE-259 actively exploited?

References

Stay ahead of CWE-259