CWE-522: Insufficiently Protected Credentials

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that credentials were transmitted or stored without adequate protection. Evidence includes passwords sent over HTTP (not HTTPS), credentials in URL parameters (logged in server/proxy access logs), authentication tokens in cookies without Secure/HttpOnly flags, or observable credential storage in client-side code/cookies. Traffic analysis reveals credentials transmitted in cleartext or inadequately protected.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-522 typically indicate that credentials were exposed or transmitted insecurely at runtime, such as:

• Credentials sent over unencrypted connections
• Credentials included in URLs, headers, or logs
• Authentication data exposed in responses or error messages
• Use of insecure authentication mechanisms without transport protection

Evidence is based on observing credential exposure during application execution, not on specific request parameters.

Mapping DAST Findings to Source Code

CWE-522 does not map to a single endpoint or parameter. The issue resides in how credentials are handled across the application lifecycle.

When tracing this issue in code, look for:

• Authentication and credential handling logic
• Transport security enforcement (HTTPS/TLS)
• Logging and error handling involving credentials
• Use of HTTP Basic or other mechanisms without transport protection
• Any code that constructs URLs, headers, or logs containing secrets

Remediation

Core Principle: Never allow credentials or secrets to be exposed outside a protected trust boundary; credentials must be protected in transit, at rest, and during processing, and must never appear in logs, URLs, or client-visible data.

→ For comprehensive remediation guidance, see Static CWE-522 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

• Java
• JavaScript/Node.js
• Python

Verification and Follow-Up Testing

After applying the fix:

1. Verify Credential Handling

• Confirm credentials are never transmitted over unencrypted connections
• Verify credentials are not included in URLs, headers, or responses
• Ensure credentials are not logged or exposed in error messages

2. Test Edge Cases

• Authentication failures and error handling paths
• Redirects from HTTP to HTTPS
• Alternative authentication mechanisms (e.g., Basic, tokens)

Re-run DAST Scanner

Re-run the dynamic scanner to confirm credential exposure is no longer observed.

Additional Resources

• CWE-522: Insufficiently Protected Credentials
• OWASP Authentication
• OWASP Password Storage
• OWASP Top 10 2025
• OWASP Top 10 2025 A06: Insecure Design