ASP.NET Misconfiguration: Password in Configuration File
Weakness ID: 13 (Weakness Variant)Status: Draft
+ Description

Description Summary

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Demonstrative Examples

Example 1

The following connectionString has clear text credentials.

(Bad Code)
Example Language: XML 
<connectionStrings>
<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;"
providerName="System.Data.Odbc" />
</connectionStrings>

+ Potential Mitigations

Good password management guidelines require that a password never be stored in plaintext.

Phase: Implementation

credentials stored in configuration files should be encrypted.

Phase: Implementation

Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory2Environment
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory10ASP.NET Environment Issues
Development Concepts (primary)699
ChildOfWeakness VariantWeakness Variant260Password in Configuration File
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsASP.NET Misconfiguration: Password in Configuration File
+ References
Microsoft Corporation. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI". <http://msdn.microsoft.com/en-us/library/ms998280.aspx>.
Microsoft Corporation. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA". <http://msdn.microsoft.com/en-us/library/ms998283.aspx>.
Microsoft Corporation. ".NET Framework Developer's Guide - Securing Connection Strings". <http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated References, Demonstrative Example, Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, References, Taxonomy Mappings
2009-07-27CWE Content TeamMITREInternal
updated Demonstrative Examples