C Sharp Hardcoded Connection Password
Description
Detects hardcoded passwords in C# SQL Server connection strings that are passed to SqlConnection objects. This represents a security risk since credentials embedded directly in source code can be extracted and used to gain unauthorized database access.
Detection Strategy
• Identifies instantiations of SqlConnection objects in C# code
• Examines the first argument passed to the SqlConnection constructor (the connection string)
• Checks if the connection string contains hardcoded password credentials
• Reports a vulnerability if the password in the connection string is a literal string rather than retrieved from a secure configuration
Vulnerable code example
using System.Data.SqlClient;
class Program {
static void Main() {
// Vulnerable: Hardcoded credentials in connection string
SqlConnection conn = new SqlConnection("Data Source=myserver.com;User Id=admin;Password=secretpass123");
// Vulnerable: Alternative format still exposes credentials...✅ Secure code example
using System.Data.SqlClient;
using System.Configuration;
class Program {
static void Main() {
// Safe: Get connection string from configuration, not hardcoded
string connString = ConfigurationManager.ConnectionStrings["MyDbConnection"].ConnectionString;
SqlConnection conn = new SqlConnection(connString);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.