CWE-522: Insufficiently Protected Credentials

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code changes a user's password.

Vulnerable example

php

$user = $_GET['user'];

While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account.

The following code reads a password from a properties file and uses the password to connect to a database.

This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system.

The following code reads a password from the registry and uses the password to create a new network credential.

This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system

Both of these examples verify a password by comparing it to a stored compressed version.

Vulnerable example

int VerifyAdmin(char *password) {

Vulnerable example

java

int VerifyAdmin(String password) {

Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database.

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

CWE-522: Insufficiently Protected Credentials | RadicalNotion.AI

CWE-522: Insufficiently Protected Credentials

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-522?

What CVEs are caused by CWE-522?

Is CWE-522 part of the OWASP Top 10?

How do you prevent CWE-522?

How is CWE-522 detected?

What are the consequences of CWE-522?

Is CWE-522 actively exploited?

References

Stay ahead of CWE-522

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-522?

What CVEs are caused by CWE-522?

Is CWE-522 part of the OWASP Top 10?

How do you prevent CWE-522?

How is CWE-522 detected?

What are the consequences of CWE-522?

Is CWE-522 actively exploited?

References

Stay ahead of CWE-522