Go Sql Plaintext Storage Of Password
Description
This detector identifies Go applications that store passwords in plaintext within SQL databases. It looks for SQL write operations (INSERT, UPDATE) where password-related arguments are passed directly without encryption or hashing, creating a security risk where sensitive credentials could be exposed if the database is compromised.
Detection Strategy
• The code must import the 'database/sql' Go library
• Must contain function calls ending with SQL-related method names like 'Exec', 'ExecContext', 'Query', or 'QueryContext'
• The SQL statement must be a write operation (contains INSERT, UPDATE, or similar SQL commands)
• At least one function argument after the SQL query must be identified as password-related (contains keywords like 'password', 'passwd', 'pwd', etc.)
• The password argument is passed directly to the SQL function without apparent encryption or hashing
Vulnerable code example
package main
import (
"database/sql"
"net/http"
)
func storePassword(db *sql.DB, r *http.Request) {...✅ Secure code example
package main
import (
"database/sql"
"net/http"
"os"
"golang.org/x/crypto/bcrypt"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.