Scala Play Plaintext Storage Sensitive Data
Description
Identifies when sensitive data is stored in plaintext using Play Framework and database operations in Scala applications. This is a security risk since storing sensitive information without encryption makes it vulnerable to unauthorized access if the database is compromised.
Detection Strategy
• Application uses Play Framework (imports from play.api.mvc or play.api)
• Code contains database operations (using common database libraries/imports)
• Sensitive data is stored using either:
• - Direct string setting operations to database fields
• - Anorm ON clauses for database operations
• Code lacks encryption or protection mechanisms for the stored data
Vulnerable code example
import java.sql.Connection
import play.api.mvc._
object UserController {
def createUser(request: Request[AnyContent], conn: Connection): Unit = {
val password = request.getQueryString("password").getOrElse("") // Source: Unsecured password from query
val stmt = conn.prepareStatement("INSERT INTO users (password) VALUES (?)")
stmt.setString(1, password) // Vulnerability: Storing raw password without hashing...✅ Secure code example
import java.sql.Connection
import play.api.mvc._
import org.mindrot.jbcrypt.BCrypt // Added BCrypt for password hashing
object UserController {
def createUser(request: Request[AnyContent], conn: Connection): Unit = {
val password = request.getQueryString("password").getOrElse("")
val hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt()) // Hash password before storage...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.