ASP.NET Misconfiguration: Password in Configuration File| ID: 13 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
Storing a plaintext password in a configuration file allows
anyone who can read the file access to the password-protected resource making
them an easy target for attackers.
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Good password management guidelines require that a password never be
stored in plaintext. | | |
| Implementation | | credentials stored in configuration files should be encrypted. | | |
| Implementation | | Use standard APIs and industry accepted algorithms to encrypt the
credentials stored in configuration files. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-13 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following connectionString has clear text
credentials.
- The following example shows a portion of a configuration file for an
ASP.Net application. This configuration file includes username and password
information for a connection to a database but the pair is stored in
plaintext. (Demonstrative Example Id DX-43)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | ASP.NET Misconfiguration: Password in Configuration
File | |
References:
- Microsoft Corporation .How To: Encrypt Configuration Sections in ASP.NET 2.0 Using
DPAPI.
- Microsoft Corporation .How To: Encrypt Configuration Sections in ASP.NET 2.0 Using
RSA.
- Microsoft Corporation ..NET Framework Developer's Guide - Securing Connection
Strings.
