Javascript Hardcoded Db Password
Description
Detects hardcoded database passwords in JavaScript source code. This represents a security risk since credentials embedded directly in code can be exposed through source code access and may be committed to version control systems. These credentials could be used by attackers to gain unauthorized database access.
Detection Strategy
• Scans JavaScript files for database configuration or connection objects
• Identifies string literals assigned to password-related properties or variables
• Looks for hardcoded credentials in database connection strings or configuration objects
• Checks database client initialization code for embedded passwords
• Reports instances where passwords are directly written in the source code instead of being loaded from environment variables or secure configuration
Vulnerable code example
const Sequelize = require('sequelize')
// Vulnerable: Hardcoded database credentials exposed in source code
const sequelize = new Sequelize('database', 'username', 'password', {
dialect: 'sqlite'
})✅ Secure code example
const Sequelize = require('sequelize')
// Safe: Load credentials from environment variables
const sequelize = new Sequelize(
process.env.DB_NAME,
process.env.DB_USER,
process.env.DB_PASSWORD,
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.