HCC

Use of hard-coded credentials (password and username)

If software contains hard-coded credentials for authentication, the software is highly vulnerable to attacks because a malicious user has the opportunity to extract this information from the executable file.

The HCC checker detects the use of hard-coded credentials--passwords and usernames--as parameters for authentication functions. The HCC checker also detects cases where software compares user credentials with internal hard-coded values in back-end applications. Hard-coded credentials may not only be coded as credentials used to authenticate a function; they may also be used as a hard-coded check. If a username or a password of an authentication function is compared to a hard-coded string, this is also a vulnerability. By default, this checker considers the functions from popular software libraries, but can also be configured to detect custom authentication functions.

Vulnerability and risk

The use of hard-coded credentials makes it possible for an attacker to extract the credentials from the executable file and bypass the authentication. Hard-coded credentials create a significant risk that may be difficult to detect and to fix.

Mitigation and prevention

For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, implement a "first login" mode that requires the user to enter a unique strong password or key.

Vulnerable code example 1

In this example, Klocwork reports a defect at line 45, stating that the function connect_to_db is invoked by using hard-coded credentials.

1   #include <mysql.h>
2   
3   typedef struct
4   {
5        char  *username;
6        char  *password;
7        char  *host;
8   }
9   login_t;
10  
11  void  work_with_db(MYSQL *);
12  
13  MYSQL *connect_to_db(login_t *login)
14  {
15      MYSQL *mysql = NULL;
16
17      mysql = mysql_init(mysql);
18
19      if  (!mysql) 
20      {
21           return  mysql;
22      }
23
24      if  (!mysql_real_connect(mysql,
25                          login->host,
26                          login->username,
27                          login->password,
28                          NULL,
29                          0,
30                          NULL,
31                          CLIENT_FOUND_ROWS))
32      { 
33            return  NULL;
34      }
35      else
36      {  
37            return  mysql;
38      }
39  } 
40
41  int  main( int  argc,  char  *argv[])
42  {
43        login_t login = {  "username" ,  "password" ,  "localhost"  };
44
45        MYSQL *mysql = connect_to_db(&login);
46      
47        if  (!mysql) 
48        { 
49              return  -1;
50        }
51
52        work_with_db(mysql);
53        mysql_close(mysql);
54
55        return  0;
56  } 

Fixed code example 1

In this corrected example, Klocwork no longer reports that the function connect_to_db is invoked by using hard-coded credentials.

1   #include <mysql.h>
2
3   typedef struct 
4   {
5       char *username;
6       char *password;
7       char *host;
8   } 
9   login_t;
10 
11  login_t read_and_decrypt_auth_info();
12  void work_with_db(MYSQL *);
13    
14  MYSQL *connect_to_db(login_t *login)
15  {
16      MYSQL *mysql = NULL;
17 
18      mysql = mysql_init(mysql);
19 
20      if (!mysql) 
21  	{
22          return mysql;
23      }
24 
25      if (!mysql_real_connect(mysql,
26                              login->host,
27                              login->username,
28                              login->password,
29                              NULL,
30                              0,
31                              NULL,
32                              CLIENT_FOUND_ROWS))
33  	{
34          return NULL;
35      } 
36      else 
37  	{
38          return mysql;
39      }
40  }
41 
42  int main(int argc, char *argv[])
43  {
44      login_t login = read_and_decrypt_auth_info();   
45 
46      MYSQL *mysql = connect_to_db(&login);
47   
48      if (!mysql) 
49      {
50          return -1;
51      }
52
53      work_with_db(mysql);
54      mysql_close(mysql);
55 
56      return 0;
57  }                    

Vulnerable code example 2

In this example, Klocwork will report a defect at line 5, stating that user credentials are compared with hard-coded values.

1   #include <string>
2 
3   bool connectToServer(const std::string &userAndPassword)
4   {
5     if (userAndPassword == "alice:s3cr3t")
6       return true;
7     return false;
8   }

Fixed code example 2

In this correct example, Klocwork no longer reports a defect.

1   #include <string>
2    
3   namespace database 
4   {
5     bool checkServerCredentials(const std::string &userAndPassword);
6   }
7 
8   bool connectToServer(const std::string &userAndPassword)
9   {
10    return database::checkServerCredentials(userAndPassword);
11  }

Related checkers

• HCC.PWD
• SV.WEAK_CRYPTO.WEAK_HASH
• HCC.USER
• RCA.HASH.SALT.EMPTY
• SV.WEAK_CRYPTO.WEAK_HASH
• RCA

External guidance

• CWE-798 - Use of Hard-coded Credentials

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.