Page History
Explanation
This rule detects whether a service call or rest service has a URL username or host and port password parameter defined. Having a URL or host and port defined in the model may result in unexpected behaviorThese fields are not encrypted and may therefore cause security risks. It is only recommended to use the URL
parameter username and password field for test purposes. It checks service calls of type:
- AQ_RestServiceClient
- AQ_SoapServiceClient
- AQ_MailService
Possible improvements
Configure Use encrypted values in the connection configuration in the application.properties file only. This adds the possibility to make the URL dependent on the environment.
See: https://my.blueriq.com/display/DOC/Connections+
See:
• My Blueriq - Security Encrypting connection passwords
• My Blueriq - Connections Properties
Example
For this SOAP Mail service call, the value of URL is set to the "www.example.com". authorization parameters - smtp-user and smtp-password have some example values.
This results in the following security hotspot: