CWE-798 Hardcoded Credentials

Description

Hardcoded Credentials

Reference: https://cwe.mitre.org/data/definitions/798.html

OWASP Category: A07:2021 – Identification and Authentication Failures

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Hardcoded API keys and credentials
private static final String API_KEY = "sk-1234567890abcdef";
private static final String AWS_SECRET = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";

AmazonS3 s3 = AmazonS3ClientBuilder.standard()
    .withCredentials(new AWSStaticCredentialsProvider(
        new BasicAWSCredentials("AKIAIOSFODNN7EXAMPLE", AWS_SECRET)))
    .build();

Why it's vulnerable: This pattern is vulnerable to Hardcoded Credentials

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use environment variables
String apiKey = System.getenv("API_KEY");
if (apiKey == null || apiKey.isEmpty()) {
    throw new IllegalStateException("API_KEY environment variable not set");
}

// SECURE: Use AWS credential provider chain (auto-discovers credentials)
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
    .withCredentials(new DefaultAWSCredentialsProviderChain())
    .build();

// SECURE: Use Spring's @Value with externalized config
@Value("${api.key}")
private String apiKey;

// SECURE: Use HashiCorp Vault or AWS Secrets Manager
@Autowired
private VaultTemplate vault;

public String getApiKey() {
    VaultResponse response = vault.read("secret/data/myapp");
    return (String) response.getData().get("apiKey");
}

// SECURE: AWS Secrets Manager
public String getSecretFromAWS(String secretName) {
    GetSecretValueRequest request = new GetSecretValueRequest()
        .withSecretId(secretName);
    GetSecretValueResult result = secretsManager.getSecretValue(request);
    return result.getSecretString();
}

Why it's secure: Implements proper protection against Hardcoded Credentials

---

Detection Pattern

Look for these patterns in your codebase:

# Find hardcoded secrets
grep -rn "API_KEY\\|SECRET\\|PASSWORD\\|AKIA" --include="*.java" | grep -E "=.*\\\""

# Find AWS credentials
grep -rn "BasicAWSCredentials\\|AWSStaticCredentials" --include="*.java"

---

Remediation Steps

1. Remove all hardcoded credentials from source code

2. Use environment variables for local development

3. Use cloud secret managers (AWS SM, GCP SM, Azure KV)

4. Use HashiCorp Vault for on-premise deployments

5. Rotate any credentials that were in source code

---

Key Imports

import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;

import org.springframework.vault.core.VaultTemplate;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-798 vulnerability
Resolve Hardcoded Credentials issue
Secure this Java code against hardcoded credentials
SAST reports CWE-798

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-798: Hardcoded Credentials

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07