Java Hardcoded Jndi Credentials
Description
Detects hardcoded JNDI credentials stored in Java Properties objects. Storing credentials directly in source code is a security risk as it can lead to unauthorized access if the code is exposed and makes credential rotation difficult.
Detection Strategy
• Check if java.util.Properties is imported in the source file
• Look for instances where a Properties object is created and stored in a variable
• Search for calls to the put() method on that Properties variable within the same scope
• Analyze if the put() method is used to store password or credential information
Vulnerable code example
import javax.naming.Context;
import java.util.Properties;
public class Client {
public void connect() {
Properties jndiProps = new Properties();
jndiProps.put(Context.SECURITY_CREDENTIALS, "secretpass123"); // Vulnerable: Hardcoded credential directly in code...✅ Secure code example
import javax.naming.Context;
import java.util.Properties;
public class Client {
public void connect() {
Properties jndiProps = new Properties();
// Load credentials from secure configuration source instead of hardcoding...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.