Abstract:
Hardcoded password 可能會危及系統安全性,並且無法輕易修正出現的安全問題。
Explanation:
使用硬編碼方式處理密碼絕非好方法。這不僅是因為所有項目開發人員都可以使用通過硬編碼方式處理的密碼,而且還會使解決這一問題變得極其困難。一旦代碼投入使用,除非對軟件進行修補,否則您再也不能改變密碼了。如果帳戶中的密碼保護減弱,系統所有者將被迫在安全性和可行性之間做出選擇。
示例:以下代碼使用 hardcoded password 來連接應用程序和檢索地址簿條目:
...
obj = new XMLHttpRequest(); obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
該代碼會正常運行,但是任何能夠訪問其中所包含的網頁的人都能得到這個密碼。
Instance ID: 847A3E3204A25FCA6A424B6AB801BC03
Priority Metadata Values:
IMPACT: 4.0
LIKELIHOOD: 3.2
Legacy Priority Metadata Values:
SEVERITY: 4.0
CONFIDENCE: 5.0
Remediation Effort: 3.0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Recommendations:
絕不能對密碼進行硬編碼。通常情況下,應對密碼加以模糊化,並在外部資源文件中進行管理。如果將密碼以明文形式存儲在網站中任意位置,會造成任何有充分權限的人讀取和無意中誤用密碼。對於需要輸入密碼的 JavaScript 引用,最好在連接時就提示用戶輸入密碼。
Tips:
1. 避免在源代碼中對密碼進行硬編碼,還要避免使用默認密碼。如果 hardcoded password 處於缺省狀態,則需要修改密碼,使其不出現在源代碼中。
2. 識別 null password、empty password 和 hardcoded password 時,默認規則只會考慮包含 password 字符的字段和變量。但是,HPE Security Fortify Custom Rules Editor(HPE Security Fortify 自定義規則編輯器)會提供 Password Management 向導,讓您輕松創建能夠從自定義名稱的字段和變量中檢測出 password management 問題的規則。
References:
[1] Standards Mapping - Common Weakness Enumeration, CWE ID 259, CWE ID 798
[2] Standards Mapping - FIPS200, IA
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4, SC-28 Protection of Information at Rest (P1)
[4] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M2 Insecure Data Storage
[5] Standards Mapping - OWASP Top 10 2004, A8 Insecure Storage
[6] Standards Mapping - OWASP Top 10 2007, A8 Insecure Cryptographic Storage
[7] Standards Mapping - OWASP Top 10 2010, A7 Insecure Cryptographic Storage
[8] Standards Mapping - OWASP Top 10 2013, A6 Sensitive Data Exposure
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.8, Requirement 8.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[15] Standards Mapping - SANS Top 25 2009, Porous Defenses - CWE ID 259
[16] Standards Mapping - SANS Top 25 2010, Porous Defenses - CWE ID 798
[17] Standards Mapping - SANS Top 25 2011, Porous Defenses - CWE ID 798
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[26] Standards Mapping - Web Application Security Consortium 24 + 2, Insufficient Authentication
[27] Standards Mapping - Web Application Security Consortium Version 2.00, Insufficient Authentication (WASC-01)