Skip to main content

Non-encrypted confidential information

Description

Confidential information is stored in plain text allowing an attacker to view it without any type of encryption.

Impact

Obtain sensitive information that may compromise system resources.

Recommendation

Encrypt all sensitive information that is transported or stored within the application according to the organizations policies.

Threat

Anonymous attacker with access to the source-code from the Internet.

Expected Remediation Time

⌚ 90 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:R
  • Score:
    • Base: 4.3
    • Temporal: 3.9
  • Severity:
    • Base: Medium
    • Temporal: Low

Code Examples

Compliant code

Credentials should be stored as encrypted values

using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using WebApplication1.Controllers;

namespace WebApplicationDotNetCore.Controllers{
String access_key = "encrypted_key";
public class Query{
public IActionResult Authenticate(UserAccountContext context, string user){
string query = "SELECT * FROM Users WHERE Username = user AND Key = access_key;
}
}
}

Non compliant code

The application saves sensitive data as plain text

using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using WebApplication1.Controllers;

String ACCESS_KEY = "my_insecure_key";

namespace WebApplicationDotNetCore.Controllers{
public class Query{
public IActionResult Authenticate(UserAccountContext context, string user){
string query = "SELECT * FROM Users WHERE Username = user AND Key = ACCESS_KEY;
}
}
}

Details

Why

When secret credentials are compromised, we always generate a vulnerability report either the credentials are mocks, or are functional only in specific scenarios such as local environments. The risk of this scenario is usually considered in the severity tab. For local environment credentials the risk is low but not zero.

Hence to solve this vulnerabilty we recommend to remove the credentials from the source code, change the compromised credentials and ideally remove the credentials from the git log. In some cases the last recommendation cannot be applied to avoid traceability issues. If that's the case, in addition to removing the credentials from the code, we require a customer confirmation that the credentials were changed to close the vulnerability.

Requirements