logo

Database

Config Files Connection String With Password Exposed

Description

Detects database connection strings with embedded passwords in configuration files. This poses a security risk as hardcoded credentials in config files can be accessed by unauthorized users and may be inadvertently exposed through version control systems.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

    Check if file contains lines matching database connection string patterns

    Line must be less than 1000 characters to avoid false positives

    Line must contain connection string keywords along with password/credential information

Vulnerable code example

<?xml version='1.0' encoding='utf-8'?>
<configuration>
  <connectionStrings>
    <!-- Vulnerable: Hardcoded database credentials in plaintext -->
    <add name="ProductionDB" connectionString="connectDB=mainDB; uid=admin; password=secretPass123; dbalias=prodDB;" providerName="System.Data.Odbc" />
  </connectionStrings>
</configuration>

✅ Secure code example

<?xml version='1.0' encoding='utf-8'?>
<configuration>
  <!-- Store connection strings in separate config file outside of VCS -->
  <connectionStrings configSource="connectionStrings.secrets.config" />
</configuration>

<!-- connectionStrings.secrets.config file (stored securely outside source control): -->
<?xml version='1.0' encoding='utf-8'?>...