Java Hardcoded Password In Setpassword

Description

Detects hardcoded passwords in JSch (Java Secure Channel) configurations where passwords are directly specified in code using setPassword() method. This represents a security risk since hardcoded credentials can be extracted from source code or compiled applications, potentially leading to unauthorized system access.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Check if the com.jcraft.jsch library is imported in the Java file

• Look for calls to setPassword() method on JSch-related objects

• Verify if the password parameter passed to setPassword() is a hardcoded string literal

• Report a vulnerability if a JSch object uses setPassword() with a hardcoded string value

Vulnerable code example

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;

public class VulnerableExample {
    public void connectSftp() {
        String hardcodedPass = "secret123";
        JSch jsch = new JSch();
        Session session = jsch.getSession("admin", "example.com", 22);...

✅ Secure code example

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;

public class SecureExample {
    public void connectSftp() {
        String configPassword = System.getenv("SFTP_PASSWORD"); // Get password from environment variable
        
        JSch jsch = new JSch();...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.