Hard-coded credentials refer to embedding authentication information such as usernames, passwords, API keys, or cryptographic keys directly into the source code. Developers might do this for convenience, testing, or quick deployment. However, these credentials often remain in production, creating vulnerabilities.
At its core, SSRF arises when an attacker can manipulate a server to send HTTP requests to arbitrary destinations, often bypassing firewalls, access controls, and other security measures. The vulnerability stems from improper validation of user-supplied URLs or inputs that dictate server-side request behaviour.
CWE-200 refers to a software flaw where sensitive information—such as personal data, proprietary business details, or system configurations—is unintentionally exposed to individuals or entities without proper authorisation. This weakness typically results from poor implementation of access controls, inadequate data masking, or flawed logic in data-handling processes.
Improper Authentication occurs when a software application fails to properly verify the identity of a user or system attempting to gain access. This weakness enables unauthorised entities to bypass security measures and gain access to sensitive data or system functionalities.
OS Command Injection occurs when an application dynamically constructs operating system (OS) commands using untrusted inputs, enabling an attacker to execute arbitrary commands on the host system. These commands often run with the same privileges as the application, amplifying the potential impact.