Json Connection String With Password Exposed

Description

Detects hardcoded database connection strings containing passwords in JSON configuration files. This represents a security risk since credentials stored in code or configuration files could be exposed to unauthorized users through source code access or configuration file leaks.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

• Scans JSON configuration files for 'connectionString' key-value pairs

• Checks if the connection string value contains a 'password=' parameter (case-insensitive)

• Validates that the connection string length is less than 1000 characters to avoid false positives

• Reports a vulnerability when a connection string contains an explicit password parameter

Vulnerable code example

{
  "database": {
    "main": {
      "connection": "Server=mydb.example.com;User=admin;Password=secretPass123!", // Vulnerable: Hardcoded sensitive credentials
      "type": "mysql"
    }
  }
}

✅ Secure code example

{
  "database": {
    "main": {
      "connection": { "from_env": "DB_CONNECTION_STRING" }, // Safe: Connection string loaded from environment variable
      "type": "mysql"
    }
  }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.