The designer will ensure the application does not contain embedded authentication data.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6156 | APP3350 | SV-6156r1_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application server. This could lead to immediate access to a backend server. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-14176r1_chk ) |
|---|
| Review source code (including global.asa, if present), configuration files, scripts, HTML file, and any ASCII files to locate any instances in which a password, certificate, or sensitive data is included in code. If credentials were found, check the file permissions on the offending file. 1) If the file permissions indicate that the file has no access control permissions (everyone can read or is world readable), this is a CAT I finding. 2) If there is a level of file protection that requires that at least authenticated users have read access, this is a CAT I finding. 3) If a level of protection exists that only administrators or those with a UID of 0 can read the file, this is a CAT II finding. The finding details should note specifically where the offending credentials or data were located and what resources they enabled. |
| Fix Text (F-17025r1_fix) |
|---|
| Remove embedded authentication data stored in code, configuration files, scripts, HTML file, or any ASCII files. |