The J2EE application stores a plaintext password in a configuration file.
Extended Description
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.
ThreatScore
Threat Mapped score: 3.25
Industry: Finiancial
Threat priority: P2 - Serious (High)
Observed Examples (CVEs)
No observed examples available.
Related Attack Patterns (CAPEC)
N/A
Attack TTPs
N/A
Modes of Introduction
Phase
Note
Architecture and Design
N/A
Implementation
N/A
Common Consequences
Impact: Bypass Protection Mechanism — Notes:
Potential Mitigations
Architecture and Design: Do not hardwire passwords into your software. (N/A)
Architecture and Design: Use industry standard libraries to encrypt passwords before storage in configuration files. (N/A)
Applicable Platforms
None listed.
Demonstrative Examples
Intro: Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.