The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

If an application stores login credentials in an insecure manner, then the secu-

rity of the login mechanism is undermined, even though there may be no

inherent flaw in the authentication process itself. 

It is very common to encounter web applications in which user credentials

are stored in unencrypted form within the database. Because the database

account used by the application must have full read/write access to those cre-

dentials, many kinds of other vulnerabilities within the application may be

exploitable to enable you to access these credentials — for example, command

or SQL injection flaws (Chapter 9) or access control weaknesses (Chapter 8).

■