Usage of Hard-Coded Secret

Overview

• Rule ID: javascript_express_hardcoded_secret

• Applicable Languages: Javascript

• Weakness ID: CWE-798

Description

Exception messages that expose sensitive information can be a critical security vulnerability. When exception details are printed directly to the default output, they might reveal crucial information about the application’s configuration or environment, such as file paths, server details, or database configurations. This not only aids attackers in identifying potential entry points but also risks exposing user-specific data, leading to privacy violations.

Remediation Guidelines

• Do not store plaintext secrets in your code. This makes your application vulnerable to unauthorized access if the codebase is exposed.

  Copy

  app.use(
    session({
      secret: "shh-my-secret",
        name: "my-custom-session-name",
      })
  )
  

• Instead, use environment variables to store secrets. This method keeps sensitive information out of your codebase.

  Copy

  app.use(
    session({
      secret: process.env.SECRET,
        name: "my-custom-session-name",
     })
   )
  

• For enhanced security, use a secret management system or a key management service (KMS) with encryption. These services provide secure storage and management of secrets, reducing the risk of exposure.

References

• OWASP hardcoded passwords

• Google Cloud Key Management Service

• AWS Key Management Service

• CWE-798: Use of Hard-coded Credentials

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL