Java Empty Password Connection
Description
Detects database connections in Java applications that use empty or null passwords in DriverManager.getConnection() calls. Using empty database passwords in production code is a critical security weakness that could allow unauthorized database access and compromise sensitive data.
Detection Strategy
• Check if Java SQL related imports are present (java.sql.DriverManager and java.sql.Connection)
• Look for calls to DriverManager.getConnection() method in the code
• Examine the password parameter in the getConnection() method call to identify if it's empty or null
• Flag the connection as vulnerable if database credentials are specified with an empty password
Vulnerable code example
import java.sql.Connection;
import java.sql.DriverManager;
public class VulnerableDBConnection {
public static void main(String[] args) {
try {
// Vulnerable: Using empty string as database password
Connection conn = DriverManager.getConnection(...✅ Secure code example
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
public class SafeDBConnection {
public static void main(String[] args) {
// Secure: Get password from environment variable or system property
String password = System.getenv("DB_PASSWORD");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.