Java Hardcoded Db Password
Description
Detects hardcoded database passwords in Java applications that use JDBC connections. This represents a security risk since credentials embedded in source code could be exposed through code access and may be propagated across different environments. Having database passwords in code also makes credential rotation difficult and risks credential leakage.
Detection Strategy
• Check if java.sql package is imported in the source file
• Look for DriverManagerDataSource constructor calls that contain string literals as the third argument (password parameter)
• Find calls to setPassword() methods on DriverManagerDataSource objects that use hardcoded string values
• Report a vulnerability when database passwords are specified as string literals rather than being retrieved from secure configuration
Vulnerable code example
import java.sql.Connection;
import java.sql.DriverManager;
public class DatabaseConnection {
public static void main(String[] args) {
try {
// Hardcoded credentials expose sensitive information in source code
String dbUrl = "jdbc:mysql://localhost:3306/mydb";...✅ Secure code example
import java.sql.Connection;
import java.sql.DriverManager;
public class DatabaseConnection {
public static void main(String[] args) {
try {
String dbUrl = System.getenv("DB_URL"); // Get URL from environment variable
String username = System.getenv("DB_USER");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.