Inclusion of Sensitive Information in Source Code
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-540: Inclusion of Sensitive Information in Source Code |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The application assigns a hardcoded string value to a Rails session secret (such as secret_key_base) directly in the source code. Storing secrets this way exposes them to anyone with access to the codebase, making it insecure.
Impact#
If an attacker obtains the exposed session secret, they can forge or tamper with session data, potentially impersonating users or escalating privileges. This compromises user authentication and can lead to unauthorized access, data breaches, and loss of trust.