Properties Exposed Credentials And Tokens
Description
Detects exposed credentials, passwords, and sensitive tokens in Java Properties configuration files. The vulnerability occurs when sensitive configuration values like database passwords, AWS keys, or mail credentials are stored in plaintext within .properties files, which could lead to unauthorized access if the configuration files are exposed.
Detection Strategy
• Scan Java Properties files for key names containing sensitive patterns like 'password', 'secret', 'key', or 'credentials'
• Check if these sensitive configuration keys have associated non-empty values in plaintext
• Common examples include 'aws.secretkey', 'spring.datasource.password', 'db.password', and other credential-related properties
• Ignores properties where values are protected/encrypted
• Reports a vulnerability for each line containing an exposed sensitive value
Vulnerable code example
# AWS credentials directly exposed in config
aws.accesskey = AKIA0000000000000000 # Hardcoded AWS access key - severe security risk
# Database credentials in plaintext
sonar.password = 123 # Plaintext password exposed in config file
# Token exposed in config
jwt_token = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c✅ Secure code example
# AWS credentials from environment variables
aws.accesskey = ${AWS_ACCESS_KEY_ID} # Access key loaded securely from environment
# Database credentials from environment variables
sonar.password = ${SONAR_PASSWORD} # Password loaded securely from environment
# Token loaded from environment
jwt_token = ${JWT_TOKEN} # JWT token loaded securely from environmentSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.