Java Hardcoded Aws Or Jwt Token
Description
Detects hardcoded AWS credentials or JWT tokens in Java source code that could lead to credential exposure. This represents a security risk as embedded credentials can be extracted from the source code or compiled artifacts, potentially leading to unauthorized access to AWS services or JWT-protected resources.
Detection Strategy
• Scans Java source code files for string literals or variable assignments containing AWS credentials or JWT tokens
• Excludes test files by checking for JUnit test annotations (org.junit.jupiter.api.Test)
• Looks for common credential patterns like AWS access keys (20 character alphanumeric strings) and JWT tokens (base64-encoded strings with typical JWT structure)
• Reports a vulnerability when credentials are found in non-test production code
Vulnerable code example
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
public class CredentialsExample {
public void configureAWS() {
// Vulnerable: Hardcoded AWS access key should never be in source code
AWSStaticCredentialsProvider credentials = new AWSStaticCredentialsProvider(
new BasicAWSCredentials("AKIAIOCMG56TISNLV69H", "secretKey123"));...✅ Secure code example
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.auth.AWSCredentialsProvider;
public class CredentialsExample {
public void configureAWS() {
// Safe: Uses AWS default credential provider chain instead of hardcoded credentials
AWSCredentialsProvider credentials = DefaultAWSCredentialsProviderChain.getInstance();
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.