Java Hardcoded Redis Credentials In Url
Description
Detects hardcoded Redis credentials in Java applications using the Jedis client library. When credentials are embedded directly in Redis connection URLs within the source code, it creates a security risk as sensitive authentication information could be exposed through code access or version control systems.
Detection Strategy
• Check if Redis-related libraries are imported in the Java source code
• Look for Jedis constructor calls that take a connection string parameter
• Examine the connection string parameter to identify if it contains hardcoded credentials (username:password)
• Report a vulnerability if credentials are found embedded in the Redis connection URL
Vulnerable code example
import redis.clients.jedis.Jedis;
public class RedisExample {
public void connectToRedis() {
// Vulnerability: Hardcoded credentials in Redis connection URL
Jedis jedis = new Jedis("redis://default:secretPassword123@redis-host.example.com:6379");
// Vulnerability: Another instance of hardcoded credentials...✅ Secure code example
import redis.clients.jedis.Jedis;
import java.util.Properties;
public class RedisExample {
public void connectToRedis() {
// Load credentials from environment variables or config
String redisHost = System.getenv("REDIS_HOST");
String redisPort = System.getenv("REDIS_PORT");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.