Technical Impact: Gain privileges / assume
identity
Likelihood of Exploit
Very High
Demonstrative Examples
Example 1
The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but the password is provided as an empty
string.
This Java example shows a properties file with an empty password
string.
(Bad Code)
Example
Language: Java
# Java Web App ResourceBundle properties file
...
webapp.ldap.username=secretUsername
webapp.ldap.password=
...
The following example shows a portion of a configuration file for an
ASP.Net application. This configuration file includes username and
password information for a connection to a database and the password is
provided as an empty string.
An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13.
Potential Mitigations
Passwords should be at least eight characters long -- the longer the
better. Avoid passwords that are in any way similar to other passwords
you have. Avoid using words that may be found in a dictionary, names
book, on a map, etc. Consider incorporating numbers and/or punctuation
into your password. If you do use common words, consider replacing
letters in that word with numbers and punctuation. However, do not use
"similar-looking" punctuation. For example, it is not a good idea to
change cat to c@t, ca+, (@+, or anything similar. Finally, it is never
appropriate to use an empty string as a password.
Weakness Ordinalities
Ordinality
Description
Primary
(where
the weakness exists independent of other weaknesses)
Description
