4

Fortify lists outputs the following line as vulnerable to attack under the category - Password Management : Hard coded Password. Though I've not hard coded the password. Why is it showing that as a vulnerability, and how do I fix it?

txtPassword.style.visibility = "visible";

Thanks in advance!

Idos
  • 15,053
  • 14
  • 60
  • 75
Shruthi HM
  • 55
  • 1
  • 2
  • 6
  • can you please show us your effort? – Enamul Hassan Dec 16 '15 at 09:01
  • What I thought was, Fortify shows this place just because of the variable name contains the word 'Password'. I tried renaming 'txtPassword' to 'txtPwd' in the html file and it seems to be working. Fortify doesn't show up the error in this place. But, I am looking for a better resolution here, if there are any. Somehow, just renaming the the variable name doesn't convince me enough to go with it. – Shruthi HM Dec 16 '15 at 13:30

1 Answers1

6

I do not have visibility to the internals, but it appears that as part of the 'Structural Analyzer', the Fortify tool searches for text that may indicate that there is a password stored. It cannot tell if there is a password hard coded, but, based on a conversation with an HP Fortify consultant, Fortify leans toward flagging an issue if at all in doubt, allowing the person(s) remediating the audit information to determine if it is a vulnerability or not.

The following text example trigger a line of of code to be flagged my code base.

  • Password
  • password
  • Passwd
  • passwd

There are a couple of ways to remediate the issue and the correct one for your organization may depend on the work effort:

  1. Mark the flagged issue as 'Not an Issue', indicating that this is a variable/control name and that a password is not hard coded in the code.
  2. Rename the variable/control name to something that would not be flagged - txtPwd may be an option in this case.
Scott
  • 71
  • 3
  • 1
    Excellent answer. In some contexts, "pwd" is also searched for (but not all) – Douglas Held Dec 18 '15 at 21:37
  • @DouglasHeld Thank you. I thought I had seen 'pwd' flagged, but it did not shake out on my quick test. Thanks for the info. Good to know. – Scott Dec 20 '15 at 19:44