Json Connection String Client Secret Exposed

Description

Detects exposed sensitive information in JSON-like structures, specifically targeting connection strings and client secrets. This vulnerability could lead to unauthorized access to systems and services if credentials or connection information are exposed in code or configuration files.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

• Look for JSON or dictionary structures in code and configuration files

• Examine key-value pairs within these structures

• Check if keys contain terms related to sensitive information (like 'connection', 'secret', 'password')

• Verify if the corresponding values contain actual sensitive data like connection strings or client secrets

• Report a vulnerability if both key patterns and sensitive values are found

Vulnerable code example

{
  "ConnectionStrings": {
    "Database": "Server=dbserver;Database=proddb;User ID=admin;Password=secretPass123" // Vulnerable: Hardcoded credentials in plain text
  },
  "ApiKeys": {
    "ClientSecret": "8f4h2j~kdl9$mK1p" // Vulnerable: Hardcoded API secret exposed
  }
}

✅ Secure code example

{
  "ConnectionStrings": {
    "Database": { "from_env": "DB_CONNECTION_STRING" }  // Secure: Load connection string from environment variable
  },
  "ApiKeys": {
    "ClientSecret": { "from_env": "API_CLIENT_SECRET" }  // Secure: Load API secret from environment variable
  }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.