criticalExposed Secrets

Database Credentials Hardcoded in Application Source

What Is This Vulnerability?

Database connection strings or credentials (username and password) are written directly into the application source code. This means anyone with access to the codebase can connect to the database, read sensitive data, modify records, or drop tables entirely.

Why It Happens

During local development, developers hardcode database credentials for quick iteration. These values are often left in place when the code moves to staging or production. ORMs and database libraries that accept connection strings make it especially easy to paste credentials inline.

Example Code

Vulnerabledb.ts
import { Pool } from "pg";

const pool = new Pool({
  host: "production-db.example.com",
  port: 5432,
  database: "myapp_production",
  user: "admin",
  password: "P@ssw0rd!2024Pr0d",
});

export default pool;
Fixeddb.ts
import { Pool } from "pg";

const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  ssl: process.env.NODE_ENV === "production" ? { rejectUnauthorized: true } : false,
});

export default pool;

How Hackers Exploit It

Attackers who gain access to the source code (through a leaked repo, compromised developer machine, or insider threat) can directly connect to the database using the exposed credentials. From there, they can exfiltrate user data, inject malicious records, escalate privileges, or destroy the entire database.

How to Fix It

Store database credentials in environment variables or a secrets manager. Use connection strings loaded from process.env. Ensure database passwords are rotated regularly and that each environment (development, staging, production) uses separate credentials. Restrict database network access with firewalls and allow-lists.

Frequently Asked Questions

What is the risk if my database is behind a firewall?
A firewall reduces the attack surface but does not eliminate the risk. If an attacker gains access to a machine within the firewall (through a compromised server or VPN), the hardcoded credentials let them connect directly. Defense in depth means securing credentials even behind network controls.
Should I use a connection string or individual parameters?
Either approach works as long as the values come from environment variables or a secrets manager. Connection strings (DATABASE_URL) are convenient because they consolidate host, port, user, password, and database name into a single variable that most ORMs support natively.
How often should I rotate database passwords?
Rotate database passwords at least every 90 days, and immediately after any suspected compromise. Automated rotation through tools like AWS Secrets Manager or HashiCorp Vault reduces the operational burden and ensures credentials are changed consistently.

Related Security Topics

Encryption Key Hardcoded in Application Source

Learn about encryption key hardcoded in application source and how to fix it.

GitHub Personal Access Token Leaked in Code

Learn about github personal access token leaked in code and how to fix it.

JWT Signing Secret Hardcoded in Application Source

Learn about jwt signing secret hardcoded in application source and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by database credentials hardcoded in application source.