Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use of hardcoded credentials #16

Open
anzosasuke opened this issue Sep 12, 2023 · 2 comments
Open

Use of hardcoded credentials #16

anzosasuke opened this issue Sep 12, 2023 · 2 comments

Comments

@anzosasuke
Copy link

anzosasuke commented Sep 12, 2023

I was using BAP tool kit primus checks on Juliet test suite CWE259(child of hard-coded credentials CWE 798) to detect hardcoded passwords, but somehow it didn't detect any. Hard-coded credentials should've also accounted for hard-coded passwords, could you share some insights on why it was unsuccessful? any thoughts would be greatly appreciated. Thanks

@anzosasuke
Copy link
Author

I really need to know about this. Could you share any insights or answers? @ivg

@ivg
Copy link
Member

ivg commented Sep 18, 2023

The rule policy for check-hardcoded-values only checks for hardcoded socket addresses. There's no currently any provision for passwords.

(defun check-hardcoded-socket-address (sockaddr-ptr)
  (when (points-to-static-data sockaddr-ptr 16)
    (incident-report 'hardcoded-socket-address (incident-location))))


(defmethod call (name fd addr)
  (when (is-in name 'accept 'bind 'connect)
    (check-hardcoded-socket-address addr)))

(defmethod call (name fd buf size flags addr len)
  (when (is-in name 'sendto 'recvfrom)
    (check-hardcoded-socket-address addr)))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants