Java Hardcoded Kmf Password
Description
Identifies instances where Java KeyManagerFactory is initialized with hardcoded password credentials. Using hardcoded passwords for key managers compromises security since these credentials can be extracted from the application code and potentially used to access sensitive cryptographic materials.
Detection Strategy
• Check if javax.net.ssl.KeyManagerFactory is imported in the Java code
• Look for calls to the 'init' method on KeyManagerFactory instances
• Verify the second argument (password parameter) of the init method contains a hardcoded string value
• Report a vulnerability when a KeyManagerFactory initialization uses a hardcoded string password
Vulnerable code example
import javax.net.ssl.KeyManagerFactory;
public class VulnerableSSLConfig {
public void configureSSL() {
// Vulnerability: Hardcoded password in KeyManagerFactory initialization
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(null, "hardcodedPassword123".toCharArray()); // -> Vulnerable: Password directly in code
}...✅ Secure code example
import javax.net.ssl.KeyManagerFactory;
public class SecureSSLConfig {
public void configureSSL() {
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
String password = System.getenv("KEY_MANAGER_PASSWORD"); // Get password from environment variable
kmf.init(null, password.toCharArray()); // Safe: Password retrieved from environment
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.