CWE-13 ASP.NET误配置:配置文件中存储口令
ASP.NET Misconfiguration: Password in Configuration File
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 260 cwe_View_ID: 1000 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Gain Privileges or Assume Identity |
可能的缓解方案
Implementation
策略:
Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.
示例代码
例
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in plaintext.
bad ASP.NET
...
Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | ASP.NET Misconfiguration: Password in Configuration File |
引用
-
REF-103 How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
-
REF-104 How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
-
REF-105 .NET Framework Developer's Guide - Securing Connection Strings
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论