# Use of Hard-coded Password (CWE-259) The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. - Prevalence: 높음 자주 악용됨 - Impact: 높음 1개의 높은 심각도 규칙 - Prevention: 문서화됨 1개의 수정 예시 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description Hard-coded passwords are easily discovered through reverse engineering and cannot be changed without modifying the software. This creates a significant security risk as the password becomes public knowledge. ## Prevention 1개의 Shoulder 탐지 규칙을 기반으로 한 Hardcoded Password 예방 전략. ### JavaScript Load passwords from environment variables instead of hardcoding ## Warning Signs - [HIGH] Hardcoded weak password detected: ... This password is easily guessable and should never be used in production. - [HIGH] hardcoded weak passwords in database connections and configuration ## Consequences - 권한 획득 - 보호 메커니즘 우회 ## Mitigations - 비밀번호는 안전한 구성 파일이나 환경 변수에 저장하세요 - 안전한 자격 증명 관리 시스템을 사용하세요 - 설치 시점에 임의의 비밀번호를 생성하세요 ## Detection - Total rules: 1 - Languages: javascript, typescript ## Rules by Language ### Javascript (1 rules) - **Hardcoded Weak Password** [HIGH]: Detects hardcoded weak passwords in database connections and configuration. Common weak passwords like "password", "admin", "root", "secret", etc. are easily guessed and should never be hardcoded in source code. This rule complements the high-entropy secrets detection by catching simple, well-known weak passwords that entropy-based detection would miss. - Remediation: Move credentials to environment variables: Before: password: 'password' After: password: process.env.DB_PASSWORD Then set DB_PASSWORD in your environment or .env file. ### Typescript (1 rules) - **Hardcoded Weak Password** [HIGH]: Detects hardcoded weak passwords in database connections and configuration. Common weak passwords like "password", "admin", "root", "secret", etc. are easily guessed and should never be hardcoded in source code. This rule complements the high-entropy secrets detection by catching simple, well-known weak passwords that entropy-based detection would miss. - Remediation: Move credentials to environment variables: Before: password: 'password' After: password: process.env.DB_PASSWORD Then set DB_PASSWORD in your environment or .env file.