Included credentials, also known as hardcoded credentials, are plain text credentials that are embedded in source code. The technique of inserting plain text (non-encrypted) credentials (account passwords, SSH keys, DevOps secrets, etc.) into source code is referred to as password/credential hardcoding.
Hardcoding credentials, on the other hand, is increasingly discouraged since they offer significant security vulnerabilities that are often exploited by malware and hackers. In rare circumstances, a threat actor (perhaps associated with a nation-state) may install hardcoded credentials to create a backdoor, granting them persistent access to a device, application, or system.
The Insecure OS/Firmware Hardcoded Password – Non-Privileged User Vulnerability refers to a security issue where an operating system (OS) or firmware embedded in a device or application contains hardcoded passwords that can be exploited by non-privileged users to gain unauthorized access. This vulnerability arises when developers use static, easily guessable passwords in their code, putting the security of the system at risk. In this article, we’ll explore this vulnerability, its potential risks, and provide sample code snippets in various popular programming languages and frameworks to help developers understand and remediate this security concern.
How the Vulnerability Works
- Hardcoded Password: Developers embed a hardcoded password directly into the OS or firmware, often for administrative purposes or debugging.
- Non-Privileged User: An attacker or non-privileged user gains access to the device or application, either physically or remotely.
- Exploitation: The attacker discovers the hardcoded password within the device’s code or firmware.
- Unauthorized Access: With knowledge of the hardcoded password, the attacker gains unauthorized access to the system, potentially compromising its security or functionality.
Mitigating Insecure Hardcoded Passwords
To mitigate this vulnerability, developers should avoid using hardcoded passwords and instead implement secure authentication mechanisms, such as password hashing and salted storage. Here are code samples in various programming languages and frameworks:
Python (Django)
# Use Django's built-in authentication system to avoid hardcoded passwords
from django.contrib.auth.models import User
# Create a new user
user = User.objects.create_user('username', '[email protected]', 'strong_password')
Node.js (Express)
// Store user passwords securely using bcrypt in Node.js
const bcrypt = require('bcrypt');
const saltRounds = 10;
// Hash and store the password
bcrypt.hash('strong_password', saltRounds, function(err, hash) {
if (err) throw err;
// Store the hash in your database
});
PHP (Laravel)
// Use Laravel's Hash facade to securely store passwords
use Illuminate\Support\Facades\Hash;
// Hash and store the password
$hashedPassword = Hash::make('strong_password');
.NET (ASP.NET Core)
// Store passwords securely using ASP.NET Core Identity
using Microsoft.AspNetCore.Identity;
// Hash and store the password
var passwordHasher = new PasswordHasher<IdentityUser>();
string hashedPassword = passwordHasher.HashPassword(null, "strong_password");
Ruby on Rails (Ruby)
# Store user passwords securely using bcrypt in Ruby on Rails
class User < ApplicationRecord
has_secure_password
end
# Create a new user
user = User.new(username: 'username', email: '[email protected]', password: 'strong_password')
user.save
Java (Spring Boot)
// Use Spring Security for secure password storage in Java
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
public class UserService {
private final BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
public void createUser(String username, String password) {
String hashedPassword = passwordEncoder.encode(password);
// Store the hashed password in your database
}
}
Ruby (Sinatra)
# Store user passwords securely using bcrypt in Sinatra
require 'bcrypt'
# Create a new user
password_hash = BCrypt::Password.create('strong_password')
ASP.NET (C#)
// Store user passwords securely using ASP.NET Identity in C#
using Microsoft.AspNet.Identity;
// Hash and store the password
var userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(context));
var user = new ApplicationUser { UserName = "username", Email = "[email protected]" };
var result = userManager.Create(user, "strong_password");
These additional code samples demonstrate how to securely store passwords in Ruby on Rails, Java (Spring Boot), Ruby (Sinatra), and ASP.NET (C#), helping developers avoid hardcoded passwords and strengthen the security of their systems.
By adopting secure password storage practices and avoiding hardcoded passwords, developers can significantly enhance the security of their systems, protecting against unauthorized access and potential vulnerabilities.