Authorization / Database Connection String Disclosed

Description

Database connection string disclosed (CWE-209) is a vulnerability that occurs when a database connection string, such as a password, is disclosed in a web or API application or within the infrastructure. This can allow an attacker to gain access to the database and sensitive information stored within it. Furthermore, the OWASP Testing Guide identifies Database Connection Strings Disclosure as one of the top 10 most critical web security risks.

Risk

The risk of this vulnerability is high as an attacker could gain access to the database and its sensitive information. This could lead to the compromise of confidential data, leading to financial, reputational, and legal damage.

Solution

The best way to mitigate this vulnerability is to ensure that database connection strings are not stored in plain text. Instead, they should be stored in an encrypted or hashed format. It is also important to store the connection strings in a secure location, such as an environment variable or a configuration file outside of the webroot. Additionally, access to the configuration files should be restricted to a limited number of personnel.