Description
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
Potential Impact
Access Control
Gain Privileges or Assume Identity
Demonstrative Examples
...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>...Mitigations & Prevention
Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.
Related Weaknesses
Taxonomy Mappings
- 7 Pernicious Kingdoms: — ASP.NET Misconfiguration: Password in Configuration File
Frequently Asked Questions
What is CWE-13?
CWE-13 (ASP.NET Misconfiguration: Password in Configuration File) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
How can CWE-13 be exploited?
Attackers can exploit CWE-13 (ASP.NET Misconfiguration: Password in Configuration File) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-13?
Key mitigations include: Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.
What is the severity of CWE-13?
CWE-13 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.