CWE-13 ASP.NET误配置：配置文件中存储口令

ASP.NET Misconfiguration: Password in Configuration File

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 260 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

可能的缓解方案

Implementation

策略:

Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.

示例代码

例

The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in plaintext.

bad ASP.NET

Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.

分类映射

引用

• REF-103 How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

• REF-104 How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

• REF-105 .NET Framework Developer's Guide - Securing Connection Strings