Bug Bounty Tip: CWE-798 – The Hard Coded Credentials Vulnerability
Bug bounty tip of the week comes from Alican Kiraz. Alican shares his bug bounty tip on identifying and reporting CWE-798, AKA Hard Coded Credentials Vulnerability. Let’s dive into the bug bounty tip of the week!
What is CWE-798 / The Hard-coded Credentials?
CWE-798, or the use of “Hard-coded Credentials”, involves storing sensitive authentication information, like passwords or encryption keys, directly in the code.
Identifying the CWE-798 / The Hard-coded Credentials
Look for code snippets where credentials are embedded in the source code. For example:
DriverManager.getConnection(url, “scott”, “tiger”);
Dig into the Code of CWE-798 / The Hard-coded Credentials
- Examine database connections, API calls, or any communication with external components.
- Check for hard-coded credentials in configuration files or directly within the code.
How to Report CWE-798 / The Hard-coded Credentials?
- – When reporting the vulnerability, clearly state the affected code segments.
- – Provide the location of the hardcoded credentials and potential risks associated.
BONUS: Offer a solution for CWE-798 / The Hard-coded Credentials
Encourage the use of configuration files separate from the code to store sensitive data.
Get Bug Bounty-Famous with BugBounter!
The bug bounty tips are one the most effective methods to contribute to the international community of bug bounty hunters as you help each other develop as cybersecurity researchers, and increase your online reputation.
BugBounter values the efforts of the bug bounty hunters who’d like to contribute to the international community of bug bounty hunters at the utmost level.
If you are not registered on BugBounter, register today and reach out to us with the following:
- Your BugBounter username,
- The social medias you’d like to be tagged with your username,
- And – the most important one – your bug bounty tip.
Thank you for reading this week’s tip by Alican Kiraz on identifying and reporting the CWE-798 / the hard-coded credentials vulnerability.