View Source

Hardcoding sensitive information, such as passwords, is an extremely dangerous practice. Doing so can have many ominous effects:

The sensitive information can become accessible to whoever has access to the source code, for example, the developers.

Once the system goes into production mode, it can become unwieldy to manage and accommodate changes to the code. For instance, a change in password may need to be communicated using a patch \[[Chess 07|AA. Java References#Chess 07]\].

In certain cases, it can also violate the fundamental principle of wiping out sensitive information from memory, as soon as the required operation has concluded. A carefully administered heap dump or application monitoring through a JVM debugger can expose the sensitive information if it persists over an extended period of time.
Malicious users may use decompilation techniques to resurrect the hardcoded sensitive information. This is a critical security vulnerability.

Noncompliant Code Example

This noncompliant code example uses a password field instantiated as a String.

class Hardcoded {
  String password = new String("guest");
  public static void main(String[] args) {
    //..
 }
}

Notably, when the password is no longer required, it is free to be garbage collected. This is because String objects are immutable and continue to persist even after they are dereferenced, until the garbage collector performs its job.

Secondly, a malicious user can use the javap -c Hardcoded command to disassemble the class and uncover the hardcoded password. The output of the disassembler as shown below, reveals the password guest in cleartext.

Compiled from "Hardcoded.java"
class Hardcoded extends java.lang.Object{
java.lang.String password;

Hardcoded();
  Code:
   0:	aload_0
   1:	invokespecial	#1; //Method java/lang/Object."<init>":()V
   4:	aload_0
   5:	new	#2; //class java/lang/String
   8:	dup
   9:	ldc	#3; //String guest
   11:	invokespecial	#4; //Method java/lang/String."<init>":(Ljava/lang/String;)V
   14:	putfield	#5; //Field password:Ljava/lang/String;
   17:	return

public static void main(java.lang.String[]);
  Code:
   0:	return

}

Compliant Solution

This compliant solution uses a char array to store the password after it is retrieved from an external file. The password is immediately cleared out after use. This limits the exposure time.

class Password {
  public static void main(String[] args) throws IOException {
    char[] password = new char[100];	
    BufferedReader br = new BufferedReader(new InputStreamReader(
      new FileInputStream("password.txt")));

    // reads the password into the char array, returns the number of bytes read 
    int n = br.read(password);  
    // decrypt password, perform operations
    for(int i= n - 1;i >= 0;i--)  // manually clear out the password immediately after use 
      password[i] = 0;	 
    br.close();
    }
}

Risk Assessment

Hardcoding sensitive information allows a malicious user to glean the information.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
MSC31- J	high	probable	medium	P12	L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

References

\[[Gong 03|AA. Java References#Gong 03]\] 9.4 Private Object State and Object Immutability
\[[Chess 07|AA. Java References#Chess 07]\] 11.2 Outbound Passwords: Keep Passwords out of Source Code
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 259|http://cwe.mitre.org/data/definitions/259.html] "Hard-Coded Password"

MSC30-J. Generate truly random numbers 49. Miscellaneous (MSC) MSC32-J. Prevent OS Command Injection