Possible username or password disclosure
Description
This vulnerability indicates that potential username and password combinations have been detected in publicly accessible resources on the web application. Credentials may be exposed in source code, configuration files, comments, or other unprotected locations. Exposed credentials can provide attackers with direct access to user accounts or system resources.
Remediation
Take the following steps to remediate this vulnerability:
1. Verify the findings: Manually review each flagged location to confirm whether actual credentials are exposed.
2. Remove exposed credentials: Delete any hardcoded usernames and passwords from source code, configuration files, comments, and documentation.
3. Rotate compromised credentials: Immediately change any passwords that have been exposed, and invalidate associated sessions or API keys.
4. Implement secure credential management: Store credentials using environment variables, secure vaults (such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault), or encrypted configuration management systems.
5. Use proper access controls: Ensure that configuration files containing sensitive data are not publicly accessible and have appropriate file permissions (e.g., 600 or 640 on Unix systems).
6. Review version control history: Check your repository history for exposed credentials and use tools like git-secrets or truffleHog to prevent future commits containing sensitive data.
Example - Secure credential handling:
// Insecure - DO NOT DO THIS
String username = "admin";
String password = "P@ssw0rd123";
// Secure - Use environment variables
String username = System.getenv("DB_USERNAME");
String password = System.getenv("DB_PASSWORD");