C#-CWE-287

The application performs improper authentication, which can allow an attacker to bypass authentication mechanisms

Required inputs: CSharpAST

This rule detects **improper authentication vulnerabilities (CWE-287)**, which occur when an application incorrectly confirms a user's identity. Safe authentication consists of avoiding hardcoded usernames and passwords. Example of a vulnerability:

public bool Login(string username, string password)
{
    // Vulnerability: Hardcoded credentials are used for authentication.
    if (username == "admin" && password == "password123")
    {
        // Grant access
        return true;
    }
    return false;
}

Example of a secure implementation:

// Using a service like ASP.NET Identity's SignInManager
public async Task SecureLogin(string username, string password)
{
    var user = await _userManager.FindByNameAsync(username);
    if (user != null)
    {
        // The framework handles secure password verification, including hashing and salting.
        return await _signInManager.PasswordSignInAsync(user, password, isPersistent: false, lockoutOnFailure: true);
    }
    return SignInResult.Failed;
}

Possible Messages

Key	Text	Severity	Disabled
hardcoded_credentials	Hardcoded credentials detected.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.