Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Tags

Impact

Clean code attribute

Server-side requests should not be vulnerable to traversing attacks
Vulnerability
Content Security Policies should be restrictive
Vulnerability
JWT secret keys should not be disclosed
Vulnerability
Stack traces should not be disclosed
Vulnerability
Loop boundaries should not be vulnerable to injection attacks
Vulnerability
Connection strings should not be vulnerable to injections attacks
Vulnerability
Memory allocations should not be vulnerable to Denial of Service attacks
Vulnerability
Accessing files should not lead to filesystem oracle attacks
Vulnerability
Environment variables should not be defined from untrusted input
Vulnerability
XML operations should not be vulnerable to injection attacks
Vulnerability
XML signatures should be validated securely
Vulnerability
Applications should not create session cookies from untrusted input
Vulnerability
Reflection should not be vulnerable to injection attacks
Vulnerability
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
OS commands should not be vulnerable to argument injection attacks
Vulnerability
Types allowed to be deserialized should be restricted
Vulnerability
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
NoSQL operations should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
LDAP connections should be authenticated
Vulnerability
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Secure random number generators should not output predictable values
Vulnerability
Serialization constructors should be secured
Vulnerability
Members should not have conflicting transparency annotations
Vulnerability
"CoSetProxyBlanket" and "CoInitializeSecurity" should not be used
Vulnerability
Database queries should not be vulnerable to injection attacks
Vulnerability
Cipher Block Chaining IVs should be unpredictable
Vulnerability
XML parsers should not be vulnerable to XXE attacks
Vulnerability
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
A secure password should be used when connecting to a database
Vulnerability
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
OS commands should not be vulnerable to command injection attacks
Vulnerability
Password hashing functions should use an unpredictable salt
Vulnerability

Passwords should not be stored in plaintext or with a fast hashing algorithm

responsibility - trustworthy

security

Vulnerability

cwe
spring

The improper storage of passwords poses a significant security risk to software applications. This vulnerability arises when passwords are stored in plaintext or with a fast hashing algorithm. To exploit this vulnerability, an attacker typically requires access to the stored passwords.

Why is this an issue?

How can I fix it?

More Info

Attackers who would get access to the stored passwords could reuse them without further attacks or with little additional effort.
Obtaining the plaintext passwords, they could then gain unauthorized access to user accounts, potentially leading to various malicious activities.

What is the potential impact?

Plaintext or weakly hashed password storage poses a significant security risk to software applications.

Unauthorized Access

When passwords are stored in plaintext or with weak hashing algorithms, an attacker who gains access to the password database can easily retrieve and use the passwords to gain unauthorized access to user accounts. This can lead to various malicious activities, such as unauthorized data access, identity theft, or even financial fraud.

Credential Reuse

Many users tend to reuse passwords across multiple platforms. If an attacker obtains plaintext or weakly hashed passwords, they can potentially use these credentials to gain unauthorized access to other accounts held by the same user. This can have far-reaching consequences, as sensitive personal information or critical systems may be compromised.

Regulatory Compliance

Many industries and jurisdictions have specific regulations and standards to protect user data and ensure its confidentiality. Storing passwords in plaintext or with weak hashing algorithms can lead to non-compliance with these regulations, potentially resulting in legal consequences, financial penalties, and damage to the reputation of the software application and its developers.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
10.6

Analyze code in your
on-premise CI

Developer Edition
Available Since
10.6

In-IDE

SaaS

Self-Hosted