Skip to content

Hardcoded Key

What does this mean ?

Hardcoded keys are a type of vulnerability that can occur when a key or password is stored in the source code of a software application or system. This can create a security risk because the key or password is easily accessible to anyone with access to the source code, and can potentially be used to gain unauthorized access to resources or data.

What can happen ?

  • An attacker could use the hardcoded key to gain unauthorized access to resources or data that are protected by the key.
  • An Attacker could decrypt sensitive data, potentially leading to a data breach.
  • An Attacker gain access to a system and potentially take control of it, leading to a compromise of the system.
  • If a data breach or system compromise occurs due to a hardcoded key vulnerability, it could damage the credibility and reputation of the affected organization.

Recommendation

  • Avoid storing keys or passwords in the source code.
  • Use secure methods for handling keys and passwords.
  • Implement proper access controls.
  • Regularly update and patch software.

Sample Code

Vulnerable :

public class Program
{
    private static readonly string KEY = "secret_key";

    public static void Main(string[] args)
    {
        Console.WriteLine($"Key: {KEY}");
    }
}

Non Vulnerable :

public class Program
{
    public static void Main(string[] args)
    {
        string key = Environment.GetEnvironmentVariable("SECRET_KEY");
        if (key == null)
        {
            Console.WriteLine("SECRET_KEY is not set");
        }
        else
        {
            Console.WriteLine($"Key: {key}");
        }
    }
}

Vulnerable :

public class Main {
    private static final String KEY = "secret_key";

    public static void main(String[] args) {
        System.out.println("Key: " + KEY);
    }
}

Non Vulnerable :

public class Main {
    public static void main(String[] args) {
        String key = System.getenv("SECRET_KEY");
        if (key == null) {
            System.out.println("SECRET_KEY is not set");
        } else {
            System.out.println("Key: " + key);
        }
    }
}

Vulnerable :

define("KEY", "secret_key");

echo "Key: " . KEY;

Non Vulnerable :

$key = getenv("SECRET_KEY");

if ($key === false) {
    echo "SECRET_KEY is not set";
} else {
    echo "Key: $key";
}

Vulnerable :

const KEY = "secret_key";
console.log(`Key: ${KEY}`);

Non Vulnerable :

const key = process.env.SECRET_KEY;

if (key === undefined) {
    console.log("SECRET_KEY is not set");
} else {
    console.log(`Key: ${key}`);
}

Vulnerable :

const key = "secret_key"

func main() {
    fmt.Println("Key:", key)
}

Non Vulnerable :

func main() {
    key := os.Getenv("SECRET_KEY")
    if key == "" {
        fmt.Println("SECRET_KEY is not set")
    } else {
        fmt.Println("Key:", key)
    }
}

Vulnerable :

KEY = "secret_key"

puts "Key: #{KEY}"

Non Vulnerable :

key = ENV["SECRET_KEY"]

if key.nil?
    puts "SECRET_KEY is not set"
else
    puts "Key: #{key}"
end

References