SYM_JSTS_0049 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Hard-coded Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description
The session secret for express-session is hard-coded directly in the source code. Storing secrets this way exposes them to anyone with code access and risks accidental leaks via version control.
Impact
If an attacker discovers the hard-coded session secret, they could forge valid session cookies, impersonate users, and potentially gain unauthorized access to sensitive areas of the application. This compromises user accounts and overall application security.