logo

Database

Java Csrf Handler Hardcoded Secret

Description

Detects when a CSRFHandler is initialized with a hardcoded password or secret value. Using hardcoded credentials in CSRF protection mechanisms compromises the security since attackers could extract these values from source code or compiled applications.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

    Identifies creation of CSRFHandler objects using the 'create' method

    Examines the arguments passed to the CSRFHandler constructor

    Reports a vulnerability if any argument contains a hardcoded password or secret value

    Example vulnerable code: CSRFHandler.create("hardcoded_secret")

Vulnerable code example

// Demonstrates vulnerable hardcoded secrets in CSRF handler
import io.vertx.ext.web.handler.CSRFHandler;

// VULNERABLE: Secret directly hardcoded in handler creation
CSRFHandler handler1 = CSRFHandler.create("hardcodedSecret123"); 

// VULNERABLE: Secret assigned to variable but still hardcoded
String secretKey = "myHardcodedKey456";...

✅ Secure code example

import io.vertx.ext.web.handler.CSRFHandler;

// Load secret from environment variable
String csrfSecret = System.getenv("CSRF_SECRET"); 
if (csrfSecret == null || csrfSecret.isEmpty()) {
    throw new IllegalStateException("CSRF secret must be configured in environment");
}
CSRFHandler handler1 = CSRFHandler.create(csrfSecret); // Safe: secret loaded from env...