Fluid Attacks Database

Description

Detects hardcoded passwords in OkHttp3 Basic Authentication credentials. This is a security risk because embedding credentials in source code can lead to unauthorized access if the code is exposed, and makes credential rotation difficult.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Check if the OkHttp3 library is imported in the Java source code

• Look for calls to Credentials.basic() method

• Verify if the password parameter (second argument) is a hardcoded string literal instead of a variable or configuration value

• Report a vulnerability when credentials are created with hardcoded passwords in the source code

Vulnerable code example

import okhttp3.Credentials;

public class UnsafeAuth {
    public void authenticate() {
        // Vulnerable: Hardcoded credentials in basic auth
        String creds = Credentials.basic("admin", "secret123");
    }
}

✅ Secure code example

import okhttp3.Credentials;

public class SafeAuth {
    public void authenticate() {
        // Safe: Credentials retrieved from environment variables
        String creds = Credentials.basic(
            System.getenv("USERNAME"),
            System.getenv("PASSWORD")...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.