ASP.NET Misconfiguration: Password in Configuration File
Draft Variant
Structure: Simple
Description
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
Common Consequences 1
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Potential Mitigations 1
Phase: Implementation
Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.
Demonstrative Examples 1
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database, but the pair is stored in plaintext.
Code Example:
Bad
ASP.NET
asp.netUsername and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.
References 4
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST
07-11-2005
ID: REF-6
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
Microsoft Corporation
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff647398(v=pandp.10)?redirectedfrom=MSDN(2023-04-07)
ID: REF-103
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
Microsoft Corporation
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff650304(v=pandp.10)?redirectedfrom=MSDN(2023-04-07)
ID: REF-104
.NET Framework Developer's Guide - Securing Connection Strings
Microsoft Corporation
ID: REF-105
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
Taxonomy Mapping
- 7 Pernicious Kingdoms