Fluid Attacks Database

Description

Detects sensitive information like passwords and client IDs exposed in .NET configuration files. When credentials or secret keys are stored directly in JSON/config files, it creates a security risk as these files may be accessible or committed to source control.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

• Check configuration files for key names containing sensitive terms like 'password', 'secret', 'token', or 'client_id'

• Look for plain text credential values stored directly in configuration properties

• Examine JSON structure key-value pairs for exposed sensitive information

• Flag configurations where credentials are not properly encrypted or secured using environment variables or secret management

Vulnerable code example

{
    "OutlookServices": {
        "Email": "admin@example.com",
        "Password": "secretPass123"  // Vulnerable: Hardcoded credentials exposed in configuration
    }
}

✅ Secure code example

{
    "OutlookServices": {
        "Email": { "from_env": "OUTLOOK_EMAIL" },  // Secure: Credentials loaded from environment variables
        "Password": { "from_env": "OUTLOOK_PASSWORD" }
    }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.