# Use of Hard-coded Password (CWE-259) The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. - Prevalence: 高 频繁被利用 - Impact: 高 1 条严重级别为高的规则 - Prevention: 已记录 1 个修复示例 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description Hard-coded passwords are easily discovered through reverse engineering and cannot be changed without modifying the software. This creates a significant security risk as the password becomes public knowledge. ## Prevention 基于 1 条 Shoulder 检测规则的 Hardcoded Password 预防策略。 ### JavaScript Load passwords from environment variables instead of hardcoding ## Warning Signs - [HIGH] Hardcoded weak password detected: ... This password is easily guessable and should never be used in production. - [HIGH] hardcoded weak passwords in database connections and configuration ## Consequences - 获取权限 - 绕过保护机制 ## Mitigations - 将密码存储在安全的配置文件或环境变量中 - 使用安全的凭据管理系统 - 在安装期间生成随机密码 ## Detection - Total rules: 1 - Languages: javascript, typescript ## Rules by Language ### Javascript (1 rules) - **Hardcoded Weak Password** [HIGH]: Detects hardcoded weak passwords in database connections and configuration. Common weak passwords like "password", "admin", "root", "secret", etc. are easily guessed and should never be hardcoded in source code. This rule complements the high-entropy secrets detection by catching simple, well-known weak passwords that entropy-based detection would miss. - Remediation: Move credentials to environment variables: Before: password: 'password' After: password: process.env.DB_PASSWORD Then set DB_PASSWORD in your environment or .env file. ### Typescript (1 rules) - **Hardcoded Weak Password** [HIGH]: Detects hardcoded weak passwords in database connections and configuration. Common weak passwords like "password", "admin", "root", "secret", etc. are easily guessed and should never be hardcoded in source code. This rule complements the high-entropy secrets detection by catching simple, well-known weak passwords that entropy-based detection would miss. - Remediation: Move credentials to environment variables: Before: password: 'password' After: password: process.env.DB_PASSWORD Then set DB_PASSWORD in your environment or .env file.