ASP.NET connection strings stored in plaintext
Description
This application stores database connection strings in plaintext within the web.config file without encryption. Connection strings often contain sensitive credentials including database usernames, passwords, and server locations. Storing this information unencrypted creates a significant security risk, as attackers who gain access to the configuration file through path traversal vulnerabilities, misconfigurations, backup file exposure, or server compromise can immediately obtain these credentials.
Remediation
Encrypt sensitive sections of the web.config file using ASP.NET's Protected Configuration feature. This can be accomplished using either the DPAPI (Data Protection API) provider for single-server deployments or the RSA provider for web farm environments.
To encrypt the connectionStrings section using the command line:
aspnet_regiis -pe "connectionStrings" -app "/MyApplication" -prov "DataProtectionConfigurationProvider"
For RSA encryption (recommended for web farms):
aspnet_regiis -pe "connectionStrings" -app "/MyApplication" -prov "RsaProtectedConfigurationProvider"
Alternatively, encrypt programmatically:
Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
config.Save();
}After encryption, ASP.NET automatically decrypts the section at runtime, requiring no code changes. Verify that the application account has appropriate permissions to access the encryption keys. Additionally, consider using Azure Key Vault or similar secret management solutions for cloud deployments.