OWASP WrongSecrets

Database Connection String Exposure in Error Messages

One of the most common and dangerous ways secrets leak in real-world applications is through database connection strings that contain embedded credentials. When applications fail to connect to databases, they often expose the full connection string (including usernames and passwords) in error messages, logs, or even user-facing interfaces.

This challenge demonstrates a scenario where a developer:

Uses embedded credentials in connection strings instead of external secret management
Has poor error handling that exposes the full connection string when database connections fail
Logs sensitive information without sanitizing credentials first
Displays technical details that could reach monitoring systems, error tracking tools, or even end users

Common places where these exposed connection strings appear:

Application startup logs when database is unavailable
Exception stack traces in monitoring tools like Sentry, Rollbar, or CloudWatch
Error messages displayed to users during maintenance windows
CI/CD pipeline logs when deployment health checks fail
Docker container logs during orchestration failures

Real-world examples:

Applications that fail health checks during Kubernetes deployments
Microservices that can’t reach their database during startup
Database migration scripts that fail with exposed connection details
Development/testing environments where error verbosity is set too high

How to trigger the error:

Push the button at the bottom of the screen or visit the /error-demo/database-connection endpoint to simulate a database connection failure. This endpoint attempts to connect to a database using a connection string with embedded credentials, and when it fails, it exposes the credentials in both the HTTP response and application logs.

Can you find the database password that gets exposed when the application tries to connect to the database?

Hint: Look for database connection error messages that reveal more than they should.

🔑 Enter the secret you found: 💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

💡 Show Hints 🔍 What's Wrong?

Hint for Challenge 58

This challenge demonstrates a very common security anti-pattern: database connection strings with embedded credentials that leak through error messages.

Where to look:

Try the error endpoint: Visit /error-demo/database-connection to trigger a database connection failure
Check the response: The application will attempt to connect to a database and fail, exposing the connection string
Look at logs: The application also logs the error with the exposed credentials

What to look for:

JDBC connection URLs often contain sensitive information
Look for patterns like jdbc:postgresql://…?user=USERNAME&password=PASSWORD
The error message will show the full connection string when the database connection fails

Real-world context:

This is one of the most common ways secrets leak in production: - Database connection failures during application startup - Health check failures in container orchestration - Development environments with verbose error reporting - CI/CD pipelines where database connections fail

Remember: The goal is to find the database password that gets exposed in the error message when the connection fails.

Why Challenge 58 Matters: Database Connection String Exposure

The Problem:

This challenge exposes one of the most frequent and dangerous secret leakage scenarios in real-world applications: database connection strings with embedded credentials that get exposed through poor error handling.

Why This Happens:

Embedded Credentials: Developers put usernames and passwords directly in connection strings instead of using environment variables or secret management systems
Poor Error Handling: Applications don’t sanitize error messages before logging or displaying them
Verbose Error Reporting: Development practices leak into production with detailed error messages
Wide Distribution: Error messages reach logs, monitoring systems, error tracking tools, and sometimes even end users

Real-World Impact:

Production Database Compromises: Exposed credentials lead to direct database access
Data Breaches: Once database credentials are leaked, all stored data is at risk
Lateral Movement: Database access can be used to pivot to other systems
Compliance Violations: Exposed credentials violate security standards and regulations

Common Exposure Vectors:

Application startup logs when database is unavailable
Health check failures in Kubernetes/Docker environments
CI/CD pipeline logs during deployment failures
Error tracking services (Sentry, Rollbar, Bugsnag)
CloudWatch, Azure Monitor, or Google Cloud Logging
Support tickets when users report errors

Prevention:

External Secret Management: Use environment variables, AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault
Connection String Sanitization: Strip credentials from error messages before logging
Least Privilege Logging: Don’t log connection strings or technical details that could contain secrets
Separate Database Users: Use read-only users for applications that don’t need write access
Connection Pooling: Use connection pooling libraries that handle credentials securely

The Bottom Line:

Database connection string exposure is preventable with proper secret management practices and careful error handling. This vulnerability type has led to countless production breaches and should never occur in well-designed applications.

🔍 Your Task

Database Connection String Exposure in Error Messages

Hint for Challenge 58

Why Challenge 58 Matters: Database Connection String Exposure

🗄️ Database Connection Error Demo

🔍 Your Task

Database Connection String Exposure in Error Messages

Hint for Challenge 58

Why Challenge 58 Matters: Database Connection String Exposure

Congratulations!

🗄️ Database Connection Error Demo