Password Management:Password in Configuration File 密码管理:配置文件中的密码
Abstract:
在配置文件中存储明文密码,可能会危及系统安全。
Explanation:
在配置文件中存储明文密码会使所有能够访问该文件的人都能访问那些用密码保护的资源。程序员有时候认为,他们不可能阻止应用程序被那些能够访问配置文件的攻击者入侵,但是这种想法会导致攻击者发动攻击变得更加容易。健全的 password management 方针从来不会允许以明文形式存储密码。
在这种情况下,在 app.properties 中第 42 行上,存在 hardcoded password。
Instance ID: C4F0382440E62AE4949A20A999D076E9
Priority Metadata Values:
IMPACT: 4.0
LIKELIHOOD: 3.2
Legacy Priority Metadata Values:
SEVERITY: 4.0
CONFIDENCE: 5.0
Remediation Effort: 5.0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Recommendations:
绝不能采用明文的形式存储密码。相反,应在系统启动时,由管理员输入密码。如果这种方法不切实际,一个安全性较差、但通常都比较恰当的解决办法是将密码模糊化,并把这些去模糊化的资源分散到系统各处,因此,要破译密码,攻击者就必须取得并正确合并多个系统资源。
有些第三方产品宣称可以采用更加安全的方式管理密码。例如,WebSphere Application Server 4.x 用简单的异或加密算法加密数值,但是请不要对诸如此类的加密方式给予完全的信任。WebSphere 以及其他一些应用服务器通常都只提供过期的且相对较弱的加密机制,这对于安全性敏感的环境来说是远远不够的。较为安全的解决方法是由用户自己创建一个新机制,而这也是如今唯一可行的方法。
Tips:
1. HPE Security Fortify Static Code Analyzer(HPE Security Fortify 静态代码分析器)会从配置文件中搜索那些用于密码属性的常用名称。当发现密码条目中包含明文时,就会将其标记为问题。
2. 如果配置文件中包含一个默认密码条目,除了需要在配置文件中将其模糊化以外,还需要对其进行修改。
References:
[1] Standards Mapping - Common Weakness Enumeration, CWE ID 13, CWE ID 260, CWE ID 555
[2] Standards Mapping - FIPS200, IA
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4, SC-28 Protection of Information at Rest (P1)
[4] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M2 Insecure Data Storage
[5] Standards Mapping - OWASP Top 10 2004, A8 Insecure Storage
[6] Standards Mapping - OWASP Top 10 2007, A8 Insecure Cryptographic Storage
[7] Standards Mapping - OWASP Top 10 2010, A7 Insecure Cryptographic Storage
[8] Standards Mapping - OWASP Top 10 2013, A6 Sensitive Data Exposure
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.8, Requirement 8.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I