CWE-522 Insufficiently Protected Credentials

Description

Insufficiently Protected Credentials

Reference: https://cwe.mitre.org/data/definitions/522.html

OWASP Category: A07:2021 – Identification and Authentication Failures

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Storing plaintext password
user.setPassword(request.getPassword());
userRepository.save(user);

Why it's vulnerable: This pattern is vulnerable to Insufficiently Protected Credentials

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use BCrypt for password hashing
@Autowired
private PasswordEncoder passwordEncoder;

public void registerUser(UserRequest request) {
    User user = new User();
    user.setUsername(request.getUsername());
    user.setPassword(passwordEncoder.encode(request.getPassword()));
    userRepository.save(user);
}

Why it's secure: Implements proper protection against Insufficiently Protected Credentials

---

Detection Pattern

Look for these patterns in your codebase:

# Find plaintext password storage
grep -rn "setPassword.*getPassword\\|password.*=.*request" --include="*.java"

---

Remediation Steps

1. Use BCrypt or Argon2 for password hashing

2. Never store plaintext passwords

3. Use secure comparison for password verification

4. Implement password complexity requirements

---

Key Imports

import org.springframework.security.crypto.password.PasswordEncoder;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-522 vulnerability
Resolve Insufficiently Protected Credentials issue
Secure this Java code against insufficiently protected credentials
SAST reports CWE-522

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-522: Insufficiently Protected Credentials

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07