All geek questions in one place

Hard Coded Password Detection

I am trying to detect hardcoded passwords in source code files.

I am currently checking the assignment of variables and the comparison for identifiers with the substring corresponding to the password, pswd.

But this leads to many false positives, similar in this case (reading passwords from the configuration file)

String PASSWORD_KEY = "server.password"; String password = prop.getProperty(PASSWORD_KEY);

I can mark some substrings, such as Key, location, path, for which I can skip the error generation, but apart from this I can not come up with a more suitable approach.

All suggestions are welcome.

+5
source share
1 answer

In real cases, hidden backyards will find out that the code is usually much more hidden to use a variable name that indicates the target.

So, in order to get something reliable, you will need to do a full static analysis and have the β€œintelligence” in the code check to understand the code and find where the authentication takes place, and then work back to see if there are any hidden ways to achieve this .

IMHO it is cheaper to hire someone to do (security) code reviews than trying to automate this.

0
source

Source: https://habr.com/ru/post/1238360/

More articles:


All Articles