Suppose one learned that certain developer hardcoded a bunch of usernames and passwords into application, which made it into Production. Oh-oh ..!
You know both username and password - is there a way to scan the bytecode and identify whether in fact username, password was hardcoded?
A simple way to see what String literals are used in a ".class" file is to use the javap utility in your JDK installation to dump the file using the "-v" option. Then grep for text that looks like <String "..."> where ... is the String you are looking for.
UPDATE
The latest documentation for javap is here, but the old version looks nicer IMO.
You can use java decompilers to decompile your class (and to check whether the class contains hardcoded username/passwords) Have a look at:
Have you looked into JD-GUI? You can see there if that has been hardcoded into any of the class files.
May be helpful for others in future. (From How can I open Java .class files in a human-readable way? )
Usage: javap <options> <classes>...
where options include:
-c Disassemble the code
-classpath <pathlist> Specify where to find user class files
-extdirs <dirs> Override location of installed extensions
-help Print this usage message
-J<flag> Pass <flag> directly to the runtime system
-l Print line number and local variable tables
-public Show only public classes and members
-protected Show protected/public classes and members
-package Show package/protected/public classes
and members (default)
-private Show all classes and members
-s Print internal type signatures
-bootclasspath <pathlist> Override location of class files loaded
by the bootstrap class loader
-verbose Print stack size, number of locals and args for methods
If verifying, print reasons for failure
