Java Use Of Hardcoded Password
Description
Detects when hardcoded passwords are used to configure HikariDataSource database connections in Java applications. This is a security risk because hardcoded credentials in source code can be easily discovered through source code access and cannot be changed without code modifications.
Detection Strategy
• Checks if the HikariDataSource library is imported in the Java source code
• Identifies calls to setPassword() method on HikariDataSource objects
• Verifies if the password argument is a hardcoded value (like string literals) rather than a configuration or environment variable
• Reports a vulnerability when a HikariDataSource password is set using a hardcoded value
Vulnerable code example
import com.zaxxer.hikari.HikariDataSource;
public class DatabaseConfig {
public void configureDatabase() {
HikariDataSource ds = new HikariDataSource();
ds.setPassword("SecretPass123!"); // Vulnerable: Hardcoded credential directly in code
String dbPass = "AnotherSecret456!"; // Vulnerable: Hardcoded credential in string variable...✅ Secure code example
import com.zaxxer.hikari.HikariDataSource;
public class DatabaseConfig {
public void configureDatabase() {
HikariDataSource ds = new HikariDataSource();
// Get password from environment variable instead of hardcoding
String dbPass = System.getenv("DB_PASSWORD"); ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.