C Sharp Hardcoded Password In Connection String

Description

Detects hardcoded passwords in SQL Server connection strings within C# applications. When credentials are embedded directly in code rather than stored securely in configuration files or environment variables, they can be exposed through source code access, creating significant security risks.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Identifies calls to the 'UseSqlServer' method in C# code

• Examines the connection string parameter passed to UseSqlServer

• Checks if the connection string contains a hardcoded password value

• Reports a vulnerability if a plaintext password is found within the connection string

Vulnerable code example

public class DatabaseConfig 
{
    public void setupConnection() 
    {
        // Insecure: Hardcoded credentials in connection string
        string connStr = "Server=db1.example.com;Database=prod;User Id=admin;Password=secretPass123";
        
        // Insecure: Concatenating hardcoded password into connection string...

✅ Secure code example

public class DatabaseConfig 
{
    public void setupConnection() 
    {
        // Secure: Load credentials from environment variables or configuration
        string password = Environment.GetEnvironmentVariable("DB_PASSWORD");
        string userId = Environment.GetEnvironmentVariable("DB_USER");
        ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.