Java Hardcoded Keystore Truststore Password
Description
Detects hardcoded passwords used in Java System.setProperty() calls for keystore and truststore configurations. Storing sensitive credentials as hardcoded values in source code is a security risk as they can be extracted and used to compromise the application's security.
Detection Strategy
• Look for calls to System.setProperty() in Java code
• Check if the property name argument relates to keystore or truststore passwords (e.g. javax.net.ssl.keyStorePassword, javax.net.ssl.trustStorePassword)
• Verify if the password value is hardcoded rather than retrieved from a secure configuration source
• Flag any instances where sensitive password properties are set with literal string values
Vulnerable code example
public class SSLConfig {
public void setupSSL() {
// Insecure: Hardcoded credential exposed in code
System.setProperty("javax.net.ssl.keyStorePassword", "secret123");
// Insecure: Another hardcoded password in plain text
System.setProperty("javax.net.ssl.trustStorePassword", "password");
}...✅ Secure code example
public class SSLConfig {
public void setupSSL() {
// Load credentials from secure configuration or environment variables
String keyStorePass = System.getenv("SSL_KEYSTORE_PASSWORD");
String trustStorePass = System.getenv("SSL_TRUSTSTORE_PASSWORD");
// Set SSL properties using externalized credentials
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePass);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.