Detections
Analytics

Database Connection String Disclosure

high Web App Scanning Plugin ID 114276

Language:

Synopsis

Database Connection String Disclosure

Description

Most of the web applications rely on a database to provide features to their users. In secure designs, consuming these private or cloud databases will require authentication like username and password based credentials.

Developers sometimes hard code such data in various places of their applications, without realizing that it could become publicly available in client-side JavaScript or, for example, HTML comments. By leveraging these sensitive information, a remote and unauthenticated attacker could gain privileged access to critical services used by the web application and the organization.

Solution

Remove the database connection string exposure by identifying the root cause of the issue (for example manual data insertion in the code, environment variables being bundled in front-end JavaScript). Rotate the secrets to avoid further reuse in case it has been previously retrieved by a malicious actor.

See Also

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage

Plugin Details

Severity: High

ID: 114276

Type: remote

Published: 5/6/2024

Updated: 5/31/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L

CVSS Score Source: Tenable

Reference Information