C Sharp Hardcoded Credentials In Directory

Description

Detects hardcoded credentials in C# DirectoryEntry constructor calls which could expose sensitive authentication information. This presents a security risk since hardcoded credentials can be extracted from source code or compiled binaries, potentially leading to unauthorized LDAP/Active Directory access.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Code imports the System.DirectoryServices namespace

• DirectoryEntry constructor is called with 3 or more parameters

• Password parameter contains a hardcoded string value instead of being retrieved from secure configuration

• Identifies instances where LDAP/AD credentials are embedded directly in the code

Vulnerable code example

using System.DirectoryServices;

public class LdapAuth {
    public bool Authenticate(string username) {
        var entry = new DirectoryEntry(
            "LDAP://dc=example,dc=com",
            "admin",
            "secretPass123",  // Vulnerable: Hardcoded credential exposed in source code...

✅ Secure code example

using System.DirectoryServices;
using System.Configuration;

public class LdapAuth {
    public bool Authenticate(string username) {
        var entry = new DirectoryEntry(
            ConfigurationManager.AppSettings["LdapPath"],
            ConfigurationManager.AppSettings["LdapUsername"], ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.