ASP.NET login credentials stored in plain text
Description
This web application stores user authentication credentials in plain text within the Web.config configuration file. When credentials are stored without encryption or hashing, they become vulnerable to unauthorized access by anyone who can read the configuration file, including attackers who gain file system access, developers with excessive permissions, or through misconfigured backup systems.
Remediation
Remove the <credentials> element from the Web.config file entirely, as storing credentials in configuration files is inherently insecure. Instead, implement one of the following secure authentication methods:
1. Use ASP.NET Identity or ASP.NET Core Identity framework with properly hashed passwords stored in a database
2. Integrate with external authentication providers (OAuth, OpenID Connect, SAML)
3. Implement Windows Authentication for intranet applications
If credentials must remain in Web.config for legacy reasons, encrypt the credentials section using the ASP.NET Protected Configuration feature:
aspnet_regiis -pe "system.web/authentication/forms/credentials" -app "/YourAppName"
However, migration to a modern authentication system is strongly recommended for production environments.