Javascript Hardcoded Password In Connection

Description

Detects hardcoded passwords in database connection strings for MySQL, MSSQL, and PostgreSQL clients in JavaScript code. This poses a security risk as embedding credentials directly in source code could lead to unauthorized database access if the code is exposed.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Check for database connection calls using MySQL, MSSQL or PostgreSQL clients

• Examine the first argument (configuration object) of the connection call

• Look for password fields that contain hardcoded string values

• Flag cases where the password is a literal string rather than an environment variable or configuration value

Vulnerable code example

const mysql = require('mysql');

// Database connection with hardcoded credentials
const connection = mysql.createConnection({
  host: 'localhost',
  user: 'root',
  password: 'admin123'  // VULNERABLE: Hardcoded credential should not be in source code
});

✅ Secure code example

const mysql = require('mysql');

// Database connection using environment variables
const connection = mysql.createConnection({
  host: process.env.DB_HOST,
  user: process.env.DB_USER,
  password: process.env.DB_PASSWORD  // SECURE: Credentials loaded from environment variables
});

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.