Dart Hardcoded Httpclient Credentials
Description
This detector identifies hardcoded credentials in Dart HTTP client authentication methods. When credentials like passwords are embedded directly in the source code, they become visible to anyone with access to the codebase and cannot be easily rotated, creating a significant security risk.
Detection Strategy
• Code must import the dart:io library (either directly or with a prefix)
• A method call must be made to one of the basic authentication sink methods (likely methods that set HTTP authentication headers or credentials)
• The second argument (index 1) of the authentication method call must be a hardcoded string literal containing the password
• The hardcoded password value must be resolvable as a static string in the source code (not a variable or computed value)
Vulnerable code example
import 'dart:io';
Future<void> main() async {
final client = HttpClient();
// VULNERABLE: hardcoded password in HttpClientBasicCredentials
final creds = HttpClientBasicCredentials('admin', 'password123');
client.addCredentials(Uri.parse('https://api.example.com'), 'realm', creds);...✅ Secure code example
import 'dart:io';
Future<void> main() async {
final client = HttpClient();
// SAFE: password from environment variable, not hardcoded literal
final creds = HttpClientBasicCredentials(
'admin', ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.