Config Files Hardcoded Credentials In Config
Description
Detects hardcoded credentials (usernames and passwords) in configuration files. This represents a security risk as storing plaintext credentials in configuration files can lead to unauthorized access if the files are exposed or compromised. Configuration files should use secure credential management instead of hardcoded values.
Detection Strategy
• Scans configuration files line by line
• Identifies lines containing common username/password patterns (like user=, password=, pwd=, etc.)
• Ignores very long lines (>1000 characters) to focus on typical config entries
• Reports the line number where credentials are found in the configuration file
Vulnerable code example
<?xml version='1.0' encoding='utf-8'?>
<configuration>
<identity
userName="domain\admin" <!-- Vulnerable: Hardcoded username -->
password="secretPassword123" <!-- Vulnerable: Hardcoded password -->
/>
</configuration>✅ Secure code example
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<identity impersonate="true" /> <!-- Safe: Uses Windows authentication instead of hardcoded credentials -->
</system.web>
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider"> <!-- Safe: Encrypts sensitive connection data -->
<EncryptedData>
<!-- Connection strings will be encrypted by aspnet_regiis tool -->...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.