Avoid using plaintext Keystore password in source code #447
Comments
|
That looks like something worth fixing. It will be a while before I can get to it. In the meantime, pull requests are welcome. |
|
After looking at this some more, I'm not convinced that it's a significant issue. The password is used to load a certificate that should only be used in a test environment. Anyone using LittleProxy for MITM in a production environment can and should provide their own certificate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerability Location:
In fileLittleProxy/src/main/java/org/littleshoot/proxy/extras/SelfSignedSslEngineSource.java, keyStore.load is invoked with a hard-coded password in line 109
Security Impact:
Keystore password should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. The product transmits or stores authentication credentials, but it uses an insecure way that is susceptible to unauthorized interception and/or retrieval.
suggestions:
To be managed safely, passwords or secret keys should be stored in separate configuration files or keystores. The Keystore password is better to load from the locally set files instead of directly set in the code.
Useful link:
https://cwe.mitre.org/data/definitions/321.html
https://cwe.mitre.org/data/definitions/522.html
https://www.baeldung.com/java-keystore
Please share with us your opinions/comments if there is any:
Is the bug report helpful?
The text was updated successfully, but these errors were encountered: