Enabled default credentials - C-Sharp

Enabled default credentials - C-Sharp

Need

Enforcement of strong and unique credentials

Context

  • Usage of C# for building robust and scalable applications
  • Usage of Microsoft.Extensions.DependencyInjection for dependency injection in .NET applications
  • Usage of Microsoft.EntityFrameworkCore for object-relational mapping (ORM) in .NET applications
  • Usage of Microsoft.EntityFrameworkCore.SqlServer for connecting and interacting with SQL Server databases in .NET applications
  • Usage of NetTopologySuite for advanced spatial data processing and analysis

Description

Non compliant code

        public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext(options =>
        options.UseSqlServer(
            Configuration.GetConnectionString("DefaultConnection"),
            x => x.UseNetTopologySuite()));
}

The above code is a configuration for connecting to a SQL Server database using Entity Framework in an ASP.NET Core application. The connection string is stored in the appsettings.json file and it uses a weak username and password combination ( sa and Password123), which are default credentials.

The vulnerability lies in the use of these low-strength, default credentials. They are easy to guess and pose a serious security risk as they can potentially allow unauthorized users to gain access to the database. This could lead to data theft, corruption, or other malicious activities.

To make matters worse, the credentials are stored in plaintext within the appsettings.json file. This means that anyone who has access to the source code or the server where the application is hosted can easily read the credentials.

In a production environment, it is extremely important to use strong, unique credentials and to store them securely. This can be achieved by using environment variables or secure configuration services like Azure Key Vault.

Steps

  • Remove the usage of default credentials.
  • Use strong and unique credentials for accessing system resources.
  • Avoid hardcoding credentials in the code.
  • Store credentials securely, such as in a configuration file or a secure key vault.
  • Implement proper authentication and authorization mechanisms to control access to system resources.
  • Regularly review and update credentials to ensure they are not compromised.
  • Follow security best practices and guidelines provided by the ASP.NET Core framework.

Compliant code

        public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext(options =>
        options.UseSqlServer(
            Configuration["ConnectionStrings:DefaultConnection"],
            x => x.UseNetTopologySuite()));
}

The original code was vulnerable because it was using default credentials to access the database. This is a security risk as it makes the system susceptible to unauthorized access and potential data breaches.

The updated code no longer uses default credentials. Instead, it retrieves the connection string from a configuration file. This is a more secure approach as it allows for the use of strong, unique credentials that are not hardcoded into the application code.

In addition to this change, it is recommended to store the configuration file in a secure location and implement proper authentication and authorization mechanisms to control access to system resources. Regularly reviewing and updating credentials can also help to ensure they are not compromised.

Following these steps and adhering to security best practices and guidelines provided by the ASP.NET Core framework can significantly reduce the risk of security vulnerabilities related to the use of default credentials.

References