The "blowfish" field in ../vulnerabilities/static.js ("" line 28) looks like a hardcoded cryptographic key:
conf.blowfish = '****'
What's the risk?
Hardcoded cryptographic keys are a dangerous practice for a few reasons.
First, having cryptographic keys in source code implicitly gives access to all encrypted data to anyone with access to the code repository or built binaries. Given the history of source code disclosure flaws in server software, and the possibility of compromise when using cloud-based source code repositories, assuming attacker access to your source code is a prudent philosophy.
Second, hardcoded cryptographic keys make responding to security events more difficult. If a cryptographic key needs to be rotated, a new build must be elevated to compensate. If the value is pulled from a configuration file instead, the operations team can respond nearly instantaneously.
Recommendation
The key detected should be taken out of source code and made available via configuration
management. An encrypted properties file like the one provided by ESAPI would allow the code to
be taken out of the source code and be provided environment-specific values.
Alternatively, the value could be taken from System properties.
Vulnerability ID: 0Q8W-75VY-SK19-6Y9G
Application Name: AgentMessageGeneratorNode
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/d944b35a-2925-43da-a27b-0fa1fac7d8aa/vulns/0Q8W-75VY-SK19-6Y9G
What Happened?
The "blowfish" field in ../vulnerabilities/static.js ("" line 28) looks like a hardcoded cryptographic key:
conf.blowfish = '****'
What's the risk?
Hardcoded cryptographic keys are a dangerous practice for a few reasons.
First, having cryptographic keys in source code implicitly gives access to all encrypted data to anyone with access to the code repository or built binaries. Given the history of source code disclosure flaws in server software, and the possibility of compromise when using cloud-based source code repositories, assuming attacker access to your source code is a prudent philosophy.
Second, hardcoded cryptographic keys make responding to security events more difficult. If a cryptographic key needs to be rotated, a new build must be elevated to compensate. If the value is pulled from a configuration file instead, the operations team can respond nearly instantaneously.
Recommendation
The key detected should be taken out of source code and made available via configuration management. An encrypted properties file like the one provided by ESAPI would allow the code to be taken out of the source code and be provided environment-specific values.
Alternatively, the value could be taken from System properties.
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
https://www.securecoding.cert.org/confluence/display/java/MSC03-J.+Never+hard+code+sensitive+information