SqlClientPermission object, which regulates how users are allowed to connect to a database. In this example, the program passes false as the second parameter to the constructor, which controls whether users are allowed to connect with blank passwords. Passing false to this parameter indicates that blank passwords should not be allowed.
...
SCP = new SqlClientPermission(pstate, false);
...
PermissionState object passed as the first parameter supersedes any value passed to the second parameter, the constructor allows blank passwords for database connections, which contradicts the second argument. To disallow blank passwords, the program should pass PermissionState.None to the first parameter of the constructor. Because of the ambiguity in its functionality, the two-parameter version of the SqlClientPermission constructor has been deprecated in favor of the single parameter version, which conveys the same degree of information without the risk of misinterpretation.getpw() to verify that a plain text password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.
...
getpw(uid, pwdline);
for (i=0; i<3; i++){
cryptpw=strtok(pwdline, ":");
pwdline=0;
}
result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
...
getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk.
...
String name = new String(nameBytes, highByte);
...
nameBytes. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset used to encode the bytes for conversion.Digest::HMAC stdlib, which use of is explicitly discouraged in the documentation due to accidental involvement within a release.
require 'digest/hmac'
hmac = Digest::HMAC.new("foo", Digest::RMD160)
...
hmac.update(buf)
...
Digest::HMAC class was deprecated immediately upon involvement due to accidental inclusion within a release. Due to possibility of this not working as expected because of experimental and not properly tested code, use of this is highly discouraged, especially considering the relation HMACs have in relation to cryptographic functionality.block.blockhash(), which has been deprecated since version 0.5.0 of the Solidity compiler.
bytes32 blockhash = block.blockhash(0);
checkCallingOrSelfPermission() or checkCallingOrSelfUriPermission() determine whether the calling program has the required permission to access a certain service or a given URI. However, these functions should be used with care as they can grant access to malicious applications, lacking the appropriate permissions, by assuming your applications permissions.
IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);
IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);
if (hostInfo.HostName.EndsWith("trustme.com")) {
trusted = true;
}
getlogin() function is easy to spoof. Do not rely on the name it returns.getlogin() function is supposed to return a string containing the name of the user currently logged in at the terminal, but an attacker may cause getlogin() to return the name of any user logged in to the machine. Do not rely on the name returned by getlogin() when making security decisions.getlogin() to determine whether or not a user is trusted. It is easily subverted.
pwd = getpwnam(getlogin());
if (isTrustedGroup(pwd->pw_gid)) {
allow();
} else {
deny();
}
String ip = request.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
if (addr.getCanonicalHostName().endsWith("trustme.com")) {
trusted = true;
}
Boolean.getBoolean() is often confused with Boolean.valueOf() or Boolean.parseBoolean() method calls.Boolean.getBoolean() is often misused as it is assumed to return the boolean value represented by the specified string argument. However, as stated in the Javadoc Boolean.getBoolean(String) method "Returns true if and only if the system property named by the argument exists and is equal to the string 'true'."Boolean.valueOf(String) or Boolean.parseBoolean(String) method.Boolean.getBoolean(String) does not translate a String primitive. It only translates system property.
...
String isValid = "true";
if ( Boolean.getBoolean(isValid) ) {
System.out.println("TRUE");
}
else {
System.out.println("FALSE");
}
...
GetChars method in Decoder & Encoding classes and the GetBytes method in Encoder & Encoding classes in the .NET Framework internally performs pointer arithmetic on the char & byte arrays to convert range of character into range of bytes and vice versa.
out.println("x = " + encoder.encodeForJavaScript(input) + ";");
...
unichar ellipsis = 0x2026;
NSString *myString = [NSString stringWithFormat:@"My Test String%C", ellipsis];
NSData *asciiData = [myString dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES];
NSString *asciiString = [[NSString alloc] initWithData:asciiData encoding:NSASCIIStringEncoding];
NSLog(@"Original: %@ (length %d)", myString, [myString length]);
NSLog(@"Best-fit-mapped: %@ (length %d)", asciiString, [asciiString length]);
// output:
// Original: My Test String... (length 15)
// Best-fit-mapped: My Test String... (length 17)
...
...
let ellipsis = 0x2026;
let myString = NSString(format:"My Test String %C", ellipsis)
let asciiData = myString.dataUsingEncoding(NSASCIIStringEncoding, allowLossyConversion:true)
let asciiString = NSString(data:asciiData!, encoding:NSASCIIStringEncoding)
NSLog("Original: %@ (length %d)", myString, myString.length)
NSLog("Best-fit-mapped: %@ (length %d)", asciiString!, asciiString!.length)
// output:
// Original: My Test String ... (length 16)
// Best-fit-mapped: My Test String ... (length 18)
...
MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur.
char *createOutputDirectory(char *name) {
char outputDirectoryName[128];
if (getCurrentDirectory(128, outputDirectoryName) == 0) {
return null;
}
if (!PathAppend(outputDirectoryName, "output")) {
return null;
}
if (!PathAppend(outputDirectoryName, name)) {
return null;
}
if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL)
!= ERROR_SUCCESS) {
return null;
}
return StrDup(outputDirectoryName);
}
output\<name>" in the current directory and returns a heap-allocated copy of its name. For most values of the current directory and the name parameter, this function will work properly. However, if the name parameter is particularly long, then the second call to PathAppend() could overflow the outputDirectoryName buffer, which is smaller than MAX_PATH bytes.umask() is often confused with the argument to chmod().umask() man page begins with the false statement:chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777.umask() man page goes on to describe the correct usage of umask():open() to set initial file permissions on a newly-created file. Specifically, permissions in the umask are turned off from the mode argument to open(2) (so, for example, the common umask default value of 022 results in new files being created with permissions 0666 & ~022 = 0644 = rw-r--r-- in the usual case where the mode is specified as 0666)."
...
struct stat output;
int ret = stat(aFilePath, &output);
// error handling omitted for this example
struct timespec accessTime = output.st_atime;
...
umask() is often confused with the argument to chmod().umask() man page begins with the false statement:chmod(), where the user provided argument specifies the bits to enable on the specified file, the behavior of umask() is in fact opposite: umask() sets the umask to ~mask & 0777.umask() man page goes on to describe the correct usage of umask():transactionId to a temporary file in the application Documents directory using a vulnerable method:
...
//get the documents directory:
let documentsPath = NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0]
//make a file name to write the data to using the documents directory:
let fileName = NSString(format:"%@/tmp_activeTrans.txt", documentsPath)
// write data to the file
let transactionId = "TransactionId=12341234"
transactionId.writeToFile(fileName, atomically:true)
...
posted object. FileUpload is of type System.Web.UI.HtmlControls.HtmlInputFile.
HttpPostedFile posted = FileUpload.PostedFile;
@Controller
public class MyFormController {
...
@RequestMapping("/test")
public String uploadFile (org.springframework.web.multipart.MultipartFile file) {
...
} ...
}
<?php
$udir = 'upload/'; // Relative path under Web root
$ufile = $udir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $ufile)) {
echo "Valid upload received\n";
} else {
echo "Invalid upload rejected\n";
} ?>
from django.core.files.storage import default_storage
from django.core.files.base import File
...
def handle_upload(request):
files = request.FILES
for f in files.values():
path = default_storage.save('upload/', File(f))
...
<input> tag of type file indicates the program accepts file uploads.
<input type="file">
root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might be able to cause.root user to another.root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. An attacker may be able to leverage these elevated privileges to do further damage.root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might cause.root user to another.root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. An attacker might be able to leverage these elevated privileges to do further damage.root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might be able to cause.root user to another.root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. An attacker may be able to leverage these elevated privileges to do further damage.root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might be able to cause.root user to another.root when a signal fires or a sub-process is executed, the signal handler or sub-process will operate with root privileges. An attacker may be able to leverage these elevated privileges to do further damage.sun.misc.Unsafe. All functionality in this class is inherently unsafe to use and can only be accessed via reflection.sun.misc.Unsafe class is for performing unsafe, low-level operations and is not intended for use by developers.Unsafe class can only be obtained by trusted code and is normally obtained through reflection, because it can be used for corrupting the system or manually allocating heap memory that if not properly handled could have detrimental affects on the system. It is imperative that all functionality around sun.misc.Unsafe must be carefully reviewed and tested to be absent of fault.Value Stack context. Enabling evaluation of unvalidated expressions against the Value Stack can give an attacker access to modify system variables or execute arbitrary code.
OgnlContext ctx = new OgnlContext();
String expression = request.getParameter("input");
Object expr = Ognl.parseExpression(expression);
Object value = Ognl.getValue(expr, ctx, root);
System.out.println("Value: " + value);
(#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc.exe"))
%{expr}) in a Struts tag that evaluates the OGNL expression twice. An attacker in control of the result of the first evaluation may be able to control the expression to be evaluated in the second OGNL evaluation and inject arbitrary OGNL expressions.redirectAction result is known to evaluate its parameters twice. In this case the result of the forced OGNL expression in the actionName parameter may be controlled by an attacker by supplying a redirect request parameter.
...
<action name="index" class="com.acme.MyAction">
<result type="redirectAction">
<param name="actionName">${#parameters['redirect']}</param>
<param name="namespace">/foo</param>
</result>
</action>
...
%{#parameters['redirect']} expression returning a user-controlled string that will be evaluated as an OGNL expression, allowing the attacker to evaluate arbitrary OGNL expressions.execute(). The ! (bang) character or the method: prefix can be used in the Action URL to invoke any public method in the Action if "Dynamic Method Invocation" is enabled. In Struts 2 version 2.3.20 the mechanism to invoke the alternative method that was previously based on reflection, was substituted to use OGNL instead which allowed attackers to provide malicious OGNL expressions instead of an alternative method name.debug request parameter:console will pop up an OGNL evaluation console allowing developers to evaluate any arbitrary OGNL expression on the server.command will allow the developers to submit arbitrary OGNL expressions to be evaluated using the request parameter expression.xml will dump the parameters, context, session, and value stack as an XML document.browser will dump the parameters, context, session, and value stack in a browseable HTML document.dest request parameter when a user clicks the link.
...
DATA: str_dest TYPE c.
str_dest = request->get_form_field( 'dest' ).
response->redirect( str_dest ).
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var strDest:String = String(params["dest"]);
host.updateLocation(strDest);
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".PageReference object consisting of a URL from the dest request parameter.
public PageReference pageAction() {
...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
return new PageReference(params.get('dest'));
}
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
String redirect = Request["dest"];
Response.Redirect(redirect);
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
final server = await HttpServer.bind(host, port);
await for (HttpRequest request in server) {
final response = request.response;
final headers = request.headers;
final strDest = headers.value('strDest');
response.headers.contentType = ContentType.text;
response.redirect(Uri.parse(strDest!));
await response.close();
}
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
strDest := r.Form.Get("dest")
http.Redirect(w, r, strDest, http.StatusSeeOther)
...
Example 1 redirects the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
<end-state id="redirectView" view="externalRedirect:#{requestParameters.dest}" />
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
strDest = form.dest.value;
window.open(strDest,"myresults");
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
<%
...
$strDest = $_GET["dest"];
header("Location: " . $strDest);
...
%>
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
-- Assume QUERY_STRING looks like dest=http://www.wilyhacker.com
dest := SUBSTR(OWA_UTIL.get_cgi_env('QUERY_STRING'), 6);
OWA_UTIL.redirect_url('dest');
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
strDest = request.field("dest")
redirect(strDest)
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter:
...
str_dest = req.params['dest']
...
res = Rack::Response.new
...
res.redirect("http://#{dest}")
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter.
def myAction = Action { implicit request =>
...
request.getQueryString("dest") match {
case Some(location) => Redirect(location)
case None => Ok("No url found!")
}
...
}
Example 1 will redirect the browser to "http://www.wilyhacker.com".requestToLoad to point to the original URL's "dest" parameter if it exists and to the original URL using the http:// scheme otherwise, and finally loads this request within a WKWebView:
...
let requestToLoad : String
...
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
...
if let urlComponents = NSURLComponents(URL: url, resolvingAgainstBaseURL: false) {
if let queryItems = urlComponents.queryItems as? [NSURLQueryItem]{
for queryItem in queryItems {
if queryItem.name == "dest" {
if let value = queryItem.value {
request = NSURLRequest(URL:NSURL(string:value))
requestToLoad = request
break
}
}
}
}
if requestToLoad == nil {
urlComponents.scheme = "http"
requestToLoad = NSURLRequest(URL:urlComponents.URL)
}
}
...
}
...
...
let webView : WKWebView
let appDelegate = UIApplication.sharedApplication().delegate as! AppDelegate
webView.loadRequest(appDelegate.requestToLoad)
...
Example 1 will attempt to request and load "http://www.wilyhacker.com" in the WKWebView.dest request parameter when a user clicks the link.
...
strDest = Request.Form('dest')
HyperLink.NavigateTo strDest
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".
...
var fs:FileStream = new FileStream();
fs.open(new File("config.properties"), FileMode.READ);
var password:String = fs.readMultiByte(fs.bytesAvailable, File.systemCharset);
URLRequestDefaults.setLoginCredentialsForHost(hostname, usr, password);
...
password. Any devious employee with access to this information can use it to break into the system.
...
string password = regKey.GetValue(passKey).ToString());
NetworkCredential netCred =
new NetworkCredential(username,password,domain);
...
password. Any devious employee with access to this information can use it to break into the system.
...
RegQueryValueEx(hkey,TEXT(.SQLPWD.),NULL,
NULL,(LPBYTE)password, &size);
rc = SQLConnect(*hdbc, server, SQL_NTS, uid,
SQL_NTS, password, SQL_NTS);
...
password. Any devious employee with access to this information can use it to break into the system.
...
01 RECORD.
05 UID PIC X(10).
05 PASSWORD PIC X(10).
...
EXEC CICS
READ
FILE('CFG')
INTO(RECORD)
RIDFLD(ACCTNO)
...
END-EXEC.
EXEC SQL
CONNECT :UID
IDENTIFIED BY :PASSWORD
AT :MYCONN
USING :MYSERVER
END-EXEC.
...
CFG can read the value of password. Any devious employee with access to this information can use it to break into the system.
<cfquery name = "GetCredentials" dataSource = "master">
SELECT Username, Password
FROM Credentials
WHERE DataSource="users"
</cfquery>
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "#Username#" password = "#Password#">
SELECT SSN
FROM Users
</cfquery>
...
master can read the value of Username and Password. Any devious employee with access to this information can use it to break into the system.
...
file, _ := os.Open("config.json")
decoder := json.NewDecoder(file)
decoder.Decode(&values)
request.SetBasicAuth(values.Username, values.Password)
...
values.Password. Any devious employee with access to this information can use it to break into the system.
...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = prop.getProperty("password");
DriverManager.getConnection(url, usr, password);
...
password. Any devious employee with access to this information can use it to break into the system.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
String username = credentials[0];
String password = credentials[1];
handler.proceed(username, password);
}
});
...
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
plist file and uses it to unzip a password-protected file.
...
NSDictionary *dict= [NSDictionary dictionaryWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"Config" ofType:@"plist"]];
NSString *password = [dict valueForKey:@"password"];
[SSZipArchive unzipFileAtPath:zipPath toDestination:destPath overwrite:TRUE password:password error:&error];
...
...
$props = file('config.properties', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$password = $props[0];
$link = mysql_connect($url, $usr, $password);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
...
password. Any devious employee with access to this information can use it to break into the system.
...
ip_address := OWA_SEC.get_client_ip;
IF ((OWA_SEC.get_user_id = 'scott') AND
(OWA_SEC.get_password = 'tiger') AND
(ip_address(1) = 144) and (ip_address(2) = 25)) THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
...
...
props = os.open('config.properties')
password = props[0]
link = MySQLdb.connect (host = "localhost",
user = "testuser",
passwd = password,
db = "test")
...
password. Any devious employee with access to this information can use it to break into the system.
require 'pg'
...
passwd = ENV['PASSWD']
...
conn = PG::Connection.new(:dbname => "myApp_production", :user => username, :password => passwd, :sslmode => 'require')
PASSWD. Any devious employee with access to this information can use it to break into the system.
...
val prop = new Properties()
prop.load(new FileInputStream("config.properties"))
val password = prop.getProperty("password")
DriverManager.getConnection(url, usr, password)
...
config.properties can read the value of password. Any devious employee with access to this information can use it to break into the system.plist file and uses it to unzip a password-protected file.
...
var myDict: NSDictionary?
if let path = NSBundle.mainBundle().pathForResource("Config", ofType: "plist") {
myDict = NSDictionary(contentsOfFile: path)
}
if let dict = myDict {
zipArchive.unzipOpenFile(zipPath, password:dict["password"])
}
...
...
Private Declare Function GetPrivateProfileString _
Lib "kernel32" Alias "GetPrivateProfileStringA" _
(ByVal lpApplicationName As String, _
ByVal lpKeyName As Any, ByVal lpDefault As String, _
ByVal lpReturnedString As String, ByVal nSize As Long, _
ByVal lpFileName As String) As Long
...
Dim password As String
...
password = GetPrivateProfileString("MyApp", "Password", _
"", value, Len(value), _
App.Path & "\" & "Config.ini")
...
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & password &";"
...
password. Any devious employee with access to this information can use it to break into the system.
...
password = ''.
...
...
URLRequestDefaults.setLoginCredentialsForHost(hostname, "scott", "");
...
Example 1 indicates that the user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
var storedPassword:String = "";
var temp:String;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(storedPassword.equals(userPassword))
// Access protected resources
...
}
...
readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword.
...
HttpRequest req = new HttpRequest();
req.setClientCertificate('mycert', '');
...
...
resource mysqlserver 'Microsoft.DBforMySQL/servers@2017-12-01' = {
...
properties: {
administratorLogin: 'admin'
administratorLoginPassword: ''
...
Example 1 succeeds, it indicates that the MySQL database is configured with an empty administrator password, which an attacker can easily guess. In Bicep, this may also be shown in deployment history or logs. After the program ships, updating the account to use a non-empty password will require a code change. Anyone with access to this information can use it to break into the system.
...
NetworkCredential netCred = new NetworkCredential("scott", "", domain);
...
Example 1 succeeds, it indicates that the network credential login "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
string storedPassword = "";
string temp;
if ((temp = ReadPassword(storedPassword)) != null) {
storedPassword = temp;
}
if(storedPassword.Equals(userPassword))
// Access protected resources
...
}
...
readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword.
...
rc = SQLConnect(*hdbc, server, SQL_NTS, "scott", SQL_NTS, "", SQL_NTS);
...
Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
char *stored_password = "";
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password))
// Access protected resources
...
}
...
readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for user_password.
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "scott" password = "">
SELECT SSN
FROM Users
</cfquery>
...
Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
var password = "";
var temp;
if ((temp = readPassword()) != null) {
password = temp;
}
if(password == userPassword()) {
// Access protected resources
...
}
...
readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword.
...
response.SetBasicAuth(usrName, "")
...
...
DriverManager.getConnection(url, "scott", "");
...
Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
String storedPassword = "";
String temp;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(storedPassword.equals(userPassword))
// Access protected resources
...
}
...
readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String username = "";
String password = "";
if (handler.useHttpAuthUsernamePassword()) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
username = credentials[0];
password = credentials[1];
}
handler.proceed(username, password);
}
});
...
Example 2, if useHttpAuthUsernamePassword() returns false, an attacker will be able to view protected pages by supplying an empty password.
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','');
...
{
...
"password" : ""
...
}
...
rc = SQLConnect(*hdbc, server, SQL_NTS, "scott", SQL_NTS, "", SQL_NTS);
...
Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
NSString *stored_password = "";
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password)) {
// Access protected resources
...
}
...
readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for user_password.
<?php
...
$connection = mysql_connect($host, 'scott', '');
...
?>
DECLARE
password VARCHAR(20);
BEGIN
password := "";
END;
...
db = mysql.connect("localhost","scott","","mydb")
...
...
conn = Mysql.new(database_host, "scott", "", databasename);
...
Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change."" as a default value when none is specified. In this case you also need to make sure that the correct number of arguments are specified in order to make sure a password is passed to the function.
...
ws.url(url).withAuth("john", "", WSAuthScheme.BASIC)
...
...
let password = ""
let username = "scott"
let con = DBConnect(username, password)
...
Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
var stored_password = ""
readPassword(stored_password)
if(stored_password == user_password) {
// Access protected resources
...
}
...
readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for user_password.
...
Dim con As New ADODB.Connection
Dim cmd As New ADODB.Command
Dim rst As New ADODB.Recordset
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=;"
...
Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
password = 'tiger'.
...
...
URLRequestDefaults.setLoginCredentialsForHost(hostname, "scott", "tiger");
...
...
HttpRequest req = new HttpRequest();
req.setClientCertificate('mycert', 'tiger');
...
...
resource mysqlserver 'Microsoft.DBforMySQL/servers@2017-12-01' = {
...
properties: {
administratorLogin: 'administratorUserName'
administratorLoginPassword: 'administratorLoginPass'
...
...
NetworkCredential netCred =
new NetworkCredential("scott", "tiger", domain);
...
...
rc = SQLConnect(*hdbc, server, SQL_NTS, "scott",
SQL_NTS, "tiger", SQL_NTS);
...
...
MOVE "scott" TO UID.
MOVE "tiger" TO PASSWORD.
EXEC SQL
CONNECT :UID
IDENTIFIED BY :PASSWORD
AT :MYCONN
USING :MYSERVER
END-EXEC.
...
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "scott" password = "tiger">
SELECT SSN
FROM Users
</cfquery>
...
...
var password = "foobarbaz";
...
javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for Example 1:
javap -c ConnMngr.class
22: ldc #36; //String jdbc:mysql://ixne.com/rxsql
24: ldc #38; //String scott
26: ldc #17; //String tiger
password := "letmein"
...
response.SetBasicAuth(usrName, password)
...
DriverManager.getConnection(url, "scott", "tiger");
...
javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for Example 1:
javap -c ConnMngr.class
22: ldc #36; //String jdbc:mysql://ixne.com/rxsql
24: ldc #38; //String scott
26: ldc #17; //String tiger
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
handler.proceed("guest", "allow");
}
});
...
Example 1, this code will run successfully, but anyone who has access to it will have access to the password.
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
...
{
"username":"scott"
"password":"tiger"
}
...
...
DriverManager.getConnection(url, "scott", "tiger")
...
javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something like the following for Example 1:
javap -c ConnMngr.class
22: ldc #36; //String jdbc:mysql://ixne.com/rxsql
24: ldc #38; //String scott
26: ldc #17; //String tiger
...
webview.webViewClient = object : WebViewClient() {
override fun onReceivedHttpAuthRequest( view: WebView,
handler: HttpAuthHandler, host: String, realm: String
) {
handler.proceed("guest", "allow")
}
}
...
Example 1, this code will run successfully, but anyone who has access to it will have access to the password.
...
rc = SQLConnect(*hdbc, server, SQL_NTS, "scott",
SQL_NTS, "tiger", SQL_NTS);
...
...
$link = mysql_connect($url, 'scott', 'tiger');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
...
DECLARE
password VARCHAR(20);
BEGIN
password := "tiger";
END;
password = "tiger"
...
response.writeln("Password:" + password)
...
Mysql.new(URI(hostname, 'scott', 'tiger', databasename)
...
...
ws.url(url).withAuth("john", "secret", WSAuthScheme.BASIC)
...
javap -c command to access the disassembled code, which will contain the values of the passwords used. The result of this operation might look something such as the following for Example 1:
javap -c MyController.class
24: ldc #38; //String john
26: ldc #17; //String secret
...
let password = "secret"
let username = "scott"
let con = DBConnect(username, password)
...
Example 2: The following ODBC connection string uses a hardcoded password:
...
https://user:secretpassword@example.com
...
...
server=Server;database=Database;UID=UserName;PWD=Password;Encrypt=yes;
...
...
Dim con As New ADODB.Connection
Dim cmd As New ADODB.Command
Dim rst As New ADODB.Recordset
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=tiger;"
...
...
credential_settings:
username: scott
password: tiger
...