C Sharp Hardcoded Credentials Password Literal
Description
Detects hardcoded passwords and credentials in C# code when initializing sensitive security objects like NetworkCredential, SQL connection strings, and password authentication methods. This presents a security risk since credentials embedded directly in source code can be easily discovered and exploited by attackers who gain access to the codebase.
Detection Strategy
• Scan for creation of sensitive security objects including NetworkCredential, OracleConnectionStringBuilder, PasswordAuthenticationMethod, and SqlConnectionStringBuilder
• Check if these objects are initialized with string literals for passwords or credentials rather than variables/parameters
• Follow variable declarations of these sensitive objects to find any subsequent assignments of hardcoded credentials
• Report a vulnerability when credentials are provided as string literals rather than being loaded from configuration or secure storage
Vulnerable code example
using System.Net;
class Program
{
static void Main()
{
// Vulnerable: Hardcoded credentials in NetworkCredential constructor
var cred1 = new NetworkCredential("admin", "secretPass123"); ...✅ Secure code example
using System;
using System.Net;
class Program
{
static void Main()
{
string username = Environment.GetEnvironmentVariable("APP_USERNAME"); // Get from environment variable...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.