Détail du CWE-13

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

Modes d'introduction

Architecture and Design
Implementation

Plateformes applicables

Langue

Name: ASP.NET (Undetermined)

Conséquences courantes

Mesures d’atténuation potentielles

Phases : Implementation
Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-103

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
Microsoft Corporation.
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff647398(v=pandp.10)?redirectedfrom=MSDN

REF-104

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
Microsoft Corporation.
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff650304(v=pandp.10)?redirectedfrom=MSDN

REF-105

.NET Framework Developer's Guide - Securing Connection Strings
Microsoft Corporation.
http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx

Soumission

Modifications