Use of Hard-coded Password [VID:259:org/owasp/webgoat/session/ECSFactory.java:1] #267
Description
Filename: org/owasp/webgoat/session/ECSFactory.java
Line: 1
CWE: 259 (Use of Hard-coded Password)
This variable assignment uses a hard-coded password that may compromise system security in a way that cannot be easily remedied. The use of a hard-coded password significantly increases the possibility that the account being protected will be compromised. Moreover, the password cannot be changed without patching the software. If a hard-coded password is compromised in a commercial product, all deployed instances may be vulnerable to attack. In some cases, this finding may indicate a reference to a password (e.g. the name of a key in a properties file) rather than an actual password. PASSWORD initializer Store passwords out-of-band from the application code. Follow best practices for protecting credentials stored in locations such as configuration or properties files. An HSM may be appropriate for particularly sensitive credentials. References: CWE