C Sharp Api Use Hardcoded Password

Description

Detects hardcoded passwords used in HTTP client authentication headers in C# applications. Using hardcoded credentials in authentication headers poses a security risk as these credentials can be extracted from the application code, potentially leading to unauthorized API access.

Weakness:

142 - Sensitive information in source code - API Key

Category: Information Collection

Detection Strategy

• Check if the C# code imports required HTTP client libraries (System.Net.Http.Headers and System.Net.Http)

• Look for usage of AuthenticationHeaderValue class in HTTP client configurations

• Verify if the authentication header is configured with hardcoded credentials instead of dynamic/configured values

Vulnerable code example

using System.Net.Http;
using System.Net.Http.Headers;

public class ApiService
{
    private const string ApiKey = "1234-my-secret-api-key"; // Vulnerability: Hardcoded credential as constant
    
    public void ConnectToApi()...

✅ Secure code example

using System.Net.Http;
using System.Net.Http.Headers;
using Microsoft.Extensions.Configuration;

public class ApiService
{
    private readonly IConfiguration _configuration;
    private readonly HttpClient _client;...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.