CWE-13 – ASP.NET Misconfiguration: Password in Configuration File

Read Time:24 Second

Description

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-260

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Implementation

Description: 

Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.

CVE References