Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-6292

Amazon MWS credentials should not be disclosed

    XMLWordPrintable

    Details

    • Message:
      Amazon MWS Auth Token detected here. Remove this cedential from your code.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources, Test Sources
    • CERT:
      MSC03-J.
    • CWE:
      CWE-798, CWE-259
    • OWASP:
      A2
    • SANS Top 25:
      Porous Defenses

      Description

      Amazon Marketplace Web Service credentials are designed to authenticate and authorize Amazon sellers.

      If your application interacts with Amazon MWS then it requires credentials to access all the resources it needs to function properly. The credential authenticates to a seller account which can have access to ressources like products, orders, price or shipment informations.
      Therefore only administrators should have access to the MWS credentials used by your application.

      As a consequence, MWS credentials should not be stored along with the application code as they would grant special privilege to anyone who has access to the application source code.

      Credentials should be stored outside of the code in a file that is never committed to your application code repository.
      If possible, a better alternative is to use your cloud provider's service for managing secrets. On AWS this service is called Secret Manager.
      When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            pierre-loup.tristant Pierre-Loup Tristant
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: