Fluid Attacks Database

Description

Detects hardcoded passwords within Gradle credentials blocks, which poses a security risk by exposing sensitive authentication information in build configuration files. Embedding plaintext passwords in source code or build files can lead to unauthorized access if the code is exposed.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Scan Gradle files (*.gradle) for credential configuration blocks

• Check if the credential block contains a 'username' property

• Look for password values that are hardcoded strings rather than variables or external references

• Report a vulnerability if both conditions are met - credentials block with username and hardcoded password value

Vulnerable code example

repositories {
    maven {
        name = "MavenRepo"
        url = "https://maven.example.org"
        password "secret123"  // Security risk: Hardcoded credential exposed in source code
    }
}

✅ Secure code example

repositories {
    maven {
        name = "MavenRepo"
        url = "https://maven.example.org"
        credentials {
            // Securely load credentials from properties or env vars
            username findProperty('maven.user') ?: System.getenv('MAVEN_USER')
            password findProperty('maven.password') ?: System.getenv('MAVEN_PASSWORD')...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.