The application must not contain embedded authentication data.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-003110

Associated with: CCI-002367

SV-84985r1_rule The application must not contain embedded authentication data.

Vulnerability discussion

Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application servers. This could lead to compromise of application data.

Check content

Review the application documentation and any available source code; this includes configuration files such as global.asa, if present, scripts, HTML files, and any ASCII files. Identify any instances of passwords, certificates, or sensitive data included in code. If credentials were found, check the file permissions and ownership of the offending file. If access to the folder hosting the file is not restricted to the related application process and administrative users, this is a finding. The finding details should note specifically where the offending credentials or data were located and what resources they enabled.

Fix text

Remove embedded authentication data stored in code, configuration files, scripts, HTML file, or any ASCII files.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer