This rule detects potential hard-coded password based on:
- Literal string format
- Symbol names
Symbol name vs string content
The implementation of this rule in other languages (like Java) highly relies on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated strings:
std::string RESET_PASSWORD = "/users/resetUserPassword"
The logic is to avoid raising issue when the wordlist item is present in both symbol name and literal string value.
std::string PASSED = "passed"; std::string PASSWORD = "Password"; std::string PASSWORD_INPUT = "[id='password']"; std::string PASSWORD_PROPERTY = "custom.password"; std::string TRUSTSTORE_PASSWORD = "trustStorePassword"; std::string CONNECTION_PASSWORD = "connection.password"; std::string RESETPWD = "/users/resetUserPassword";
Empty string should not be considered as hard-coded passwords.
std::string EMPTY_PASSWORD = ""; std::string variable1 = "login=a&password="; std::string variable2 = "login=a&password= ";