Reputation: 55
Password Management : Hard coded password in html
Fortify lists outputs the following line as vulnerable to attack under the category - Password Management : Hard coded Password. Though I've not hard coded the password. Why is it showing that as a vulnerability, and how do I fix it?
txtPassword.style.visibility = "visible";
Thanks in advance!
Upvotes: 4
Views: 7744
Answers (1)
Reputation: 71
I do not have visibility to the internals, but it appears that as part of the 'Structural Analyzer', the Fortify tool searches for text that may indicate that there is a password stored. It cannot tell if there is a password hard coded, but, based on a conversation with an HP Fortify consultant, Fortify leans toward flagging an issue if at all in doubt, allowing the person(s) remediating the audit information to determine if it is a vulnerability or not.
The following text example trigger a line of of code to be flagged my code base.
- Password
- password
- Passwd
- passwd
There are a couple of ways to remediate the issue and the correct one for your organization may depend on the work effort:
- Mark the flagged issue as 'Not an Issue', indicating that this is a variable/control name and that a password is not hard coded in the code.
- Rename the variable/control name to something that would not be flagged - txtPwd may be an option in this case.
Upvotes: 6
Related Questions
- Password protecting web page
- Adding Restrictions to a Password in HTML?
- Increasing security of web-based login
- More Simple Password System Stuff
- Browser password managers have me stumped
- Password Protecting A Webpage
- How to create the password input
- Secure website password storage
- Password protect a simple web site