Java Hardcoded Mysql Password
Description
Detects hardcoded database passwords in Java applications using MySQL JDBC connector. Hardcoded database credentials in source code pose a significant security risk as they can lead to unauthorized database access if the source code is exposed or compromised.
Detection Strategy
• Checks if MySQL JDBC connector (com.mysql.cj.jdbc.MysqlDataSource) is imported in the code
• Identifies calls to setPassword() method on MySQL datasource objects
• Verifies if the password parameter is a hardcoded string literal
• Confirms the method is called on a MySQL datasource instance
• Reports a vulnerability if all conditions are met, indicating hardcoded database credentials
Vulnerable code example
import com.mysql.cj.jdbc.MysqlDataSource;
public class DbConnection {
public static MysqlDataSource getConnection() {
MysqlDataSource source = new MysqlDataSource();
source.setPassword("db123!"); // Vulnerable: Hardcoded credential in code
return source;
}...✅ Secure code example
import com.mysql.cj.jdbc.MysqlDataSource;
import java.util.Properties;
import java.io.FileInputStream;
public class DbConnection {
public static MysqlDataSource getConnection() throws Exception {
// Load credentials from external config file
Properties props = new Properties();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.