← back to index

S2068 — Credentials should not be hard-coded

Language: VB.NET  |  Type: VULNERABILITY  |  Severity: Major

Tags: cwe, former-hotspot

Why is this an issue?

Hard-coding credentials in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or open-source applications. This practice exposes your application to significant security risks.

This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.

In the past, it has led to the following vulnerabilities:

How to fix it

Credentials should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider’s secrets management service. If a password is exposed in the source code, it must be changed immediately.

Code Examples

Noncompliant code example

Dim username As String = "admin"
Dim password As String = "Password123" ' Noncompliant
Dim usernamePassword As String = "user=admin&password=Password123" ' Noncompliant
Dim url As String = "scheme://user:Admin123@domain.com" ' Noncompliant

Compliant solution

Dim username As String = "admin"
Dim password As String = GetEncryptedPassword()
Dim usernamePassword As String = String.Format("user={0}&password={1}", GetEncryptedUsername(), GetEncryptedPassword())
Dim url As String = $"scheme://{username}:{password}@domain.com"

Dim url2 As String= "http://guest:guest@domain.com" ' Compliant
Const Password_Property As String = "custom.password" ' Compliant

Exceptions

Resources