How to resolve CWE-259: Use of Hard-coded Password?

java security veracode
user1782009 picture user1782009 · Apr 14, 2013 · Viewed 11.6k times · Source

I submitted my application EAR to Veracode Security scanning tool and got this flaw in the below piece of code :

private String url = "jdbc:mysql://localhost:8081/sql";  
private String userName = "xyz";  
private String password = "abc";
DriverManager.getConnection(url, user, password); // At this line i am getting this flaw.

Someone please help me on how to resolve CWE-259: Use of Hard-coded Password Flaw.

Answer

patopop007 picture patopop007 · Apr 14, 2013

The reason you are getting the hard-coded password flaw is because in line three of your snippet you are hard-coding your password in a variable. This is because you are storing sensitive information (username and password) in the source code, which is a flaw because your can source can be decompiled.

One way to fix this flaw is to store the credentials in a strongly encrypted file, or apply strong one-way hashes to the credentials and store those hashes in a configuration file.

You can get more information here: http://cwe.mitre.org/data/definitions/259.html

Related questions

How to fix Trust Boundary Violation flaw in Java Web application

I am receiving a Trust Boundary Violation from Veracode. My code is userName= req.getParameter(Constant.USERNAME); session.setAttribute(Constant.USERNAME, userName); //At this line i am getting Trust Boundry Violation flaw. How can I validate userName to avoid a …

Read More
Veracode XML External Entity Reference (XXE)

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, …

Read More
How to resolve External Control of File Name or Path (CWE ID 73)

I am working on fixing Veracode issues in my application. Veracode has highlighted the flaw "External Control of File Name or Path (CWE ID 73) " in below code. Thread.currentThread().getContextClassLoader().getResourceAsStream(lookupName) How do I validate the parameter? If I …

Read More