Language: VB.NET | Type: VULNERABILITY | Severity: Major
Tags: cwe, former-hotspot
Hard-coding credentials in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or open-source applications. This practice exposes your application to significant security risks.
This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.
In the past, it has led to the following vulnerabilities:
Credentials should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider’s secrets management service. If a password is exposed in the source code, it must be changed immediately.
Dim username As String = "admin" Dim password As String = "Password123" ' Noncompliant Dim usernamePassword As String = "user=admin&password=Password123" ' Noncompliant Dim url As String = "scheme://user:Admin123@domain.com" ' Noncompliant
Dim username As String = "admin"
Dim password As String = GetEncryptedPassword()
Dim usernamePassword As String = String.Format("user={0}&password={1}", GetEncryptedUsername(), GetEncryptedPassword())
Dim url As String = $"scheme://{username}:{password}@domain.com"
Dim url2 As String= "http://guest:guest@domain.com" ' Compliant
Const Password_Property As String = "custom.password" ' Compliant