Abstract:
Hardcoded password 可能会危及系统安全性,并且无法轻易修正出现的安全问题。
Explanation:
使用硬编码方式处理密码绝非好方法。这不仅是因为所有项目开发人员都可以使用通过硬编码方式处理的密码,而且还会使解决这一问题变得极其困难。一旦代码投入使用,除非对软件进行修补,否则您再也不能改变密码了。如果帐户中的密码保护减弱,系统所有者将*在安全性和可行性之间做出选择。
示例:以下代码使用 hardcoded password 来连接应用程序和检索地址簿条目:
...
obj = new XMLHttpRequest(); obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
该代码会正常运行,但是任何能够访问其中所包含的网页的人都能得到这个密码。
Instance ID: 847A3E3204A25FCA6A424B6AB801BC03
Priority Metadata Values:
IMPACT: 4.0
LIKELIHOOD: 3.2
Legacy Priority Metadata Values:
SEVERITY: 4.0
CONFIDENCE: 5.0
Remediation Effort: 3.0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Recommendations:
绝不能对密码进行硬编码。通常情况下,应对密码加以模糊化,并在外部资源文件中进行管理。如果将密码以明文形式存储在网站中任意位置,会造成任何有充分权限的人读取和无意中误用密码。对于需要输入密码的 JavaScript 引用,最好在连接时就提示用户输入密码。
Tips:
1. 避免在源代码中对密码进行硬编码,还要避免使用默认密码。如果 hardcoded password 处于缺省状态,则需要修改密码,使其不出现在源代码中。
2. 识别 null password、empty password 和 hardcoded password 时,默认规则只会考虑包含 password 字符的字段和变量。但是,HPE Security Fortify Custom Rules Editor(HPE Security Fortify 自定义规则编辑器)会提供 Password Management 向导,让您轻松创建能够从自定义名称的字段和变量中检测出 password management 问题的规则。
References:
[1] Standards Mapping - Common Weakness Enumeration, CWE ID 259, CWE ID 798
[2] Standards Mapping - FIPS200, IA
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4, SC-28 Protection of Information at Rest (P1)
[4] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M2 Insecure Data Storage
[5] Standards Mapping - OWASP Top 10 2004, A8 Insecure Storage
[6] Standards Mapping - OWASP Top 10 2007, A8 Insecure Cryptographic Storage
[7] Standards Mapping - OWASP Top 10 2010, A7 Insecure Cryptographic Storage
[8] Standards Mapping - OWASP Top 10 2013, A6 Sensitive Data Exposure
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.8, Requirement 8.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[15] Standards Mapping - SANS Top 25 2009, Porous Defenses - CWE ID 259
[16] Standards Mapping - SANS Top 25 2010, Porous Defenses - CWE ID 798
[17] Standards Mapping - SANS Top 25 2011, Porous Defenses - CWE ID 798
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[26] Standards Mapping - Web Application Security Consortium 24 + 2, Insufficient Authentication
[27] Standards Mapping - Web Application Security Consortium Version 2.00, Insufficient Authentication (WASC-01)