返回 Skill 列表
extension
分类: 开发与工程无需 API Key

cwe-522-insufficiently-protected-credentials

在需要修复Java代码中的CWE-522(保护不足的凭证)漏洞时使用此技能。触发于静态应用程序安全测试发现、安全审查或修复保护不足的凭证问题时。

person作者: jakexiaohubgithub

CWE-522 Insufficiently Protected Credentials

Description

Insufficiently Protected Credentials

Reference: https://cwe.mitre.org/data/definitions/522.html

OWASP Category: A07:2021 – Identification and Authentication Failures


Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Storing plaintext password
user.setPassword(request.getPassword());
userRepository.save(user);

Why it's vulnerable: This pattern is vulnerable to Insufficiently Protected Credentials


Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use BCrypt for password hashing
@Autowired
private PasswordEncoder passwordEncoder;

public void registerUser(UserRequest request) {
    User user = new User();
    user.setUsername(request.getUsername());
    user.setPassword(passwordEncoder.encode(request.getPassword()));
    userRepository.save(user);
}

Why it's secure: Implements proper protection against Insufficiently Protected Credentials


Detection Pattern

Look for these patterns in your codebase:

# Find plaintext password storage
grep -rn "setPassword.*getPassword\\|password.*=.*request" --include="*.java"

Remediation Steps

  1. Use BCrypt or Argon2 for password hashing

  2. Never store plaintext passwords

  3. Use secure comparison for password verification

  4. Implement password complexity requirements


Key Imports


import org.springframework.security.crypto.password.PasswordEncoder;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;


Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code


Trigger Examples

Fix CWE-522 vulnerability
Resolve Insufficiently Protected Credentials issue
Secure this Java code against insufficiently protected credentials
SAST reports CWE-522

Common Vulnerable Locations

| Layer | Files | Patterns | |-------|-------|----------|

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |


References


Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07