lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Oracle WebLogic Server

Oraclemiddleware3 credentials

Credentials3 documented
01

WebLogic Administrator Password

oracle-weblogic / administrator-password

WebLogic Server security realms authenticate users for administrative and application access. Oracle documents security realms, authentication providers, and user/password protection in WebLogic Server.

user definedsecretusername/password

Location

database

WebLogic embedded LDAP or configured authentication provider storing users and password verifier material

public interface
Administration Console, Node Manager, T3/HTTP management endpoints

WebLogic administrative login surfaces

config file

domain config, provisioning scripts, and security provider configuration

secret store

credential stores, deployment vaults, Kubernetes Secrets, and domain secrets

source code

domain templates, WLST scripts, Docker Compose files, and committed config

logs

domain creation logs, boot logs, and authentication troubleshooting output

Notes

WebLogic administrator passwords are chosen during domain creation or provisioning; there is no universal static WebLogic administrator password.

02

Boot Identity File Credential

oracle-weblogic / boot-identity-file

WebLogic Server can use boot identity files to start servers without interactively entering the administrator username and password. These files contain boot credentials that WebLogic protects after use.

user definedsecretusername/password

Looks like

pattern
pattern

WebLogic boot.properties username or password entry

^(?:username|password)\s*=\s*[^\r\n]+$

Location

config file
boot.properties

WebLogic server boot identity file

secret store

domain backups, Kubernetes Secrets, and provisioning vault entries

source code

committed domains, container images, and WLST provisioning scripts

artifact

domain archives and server backups containing boot.properties

logs

startup traces and provisioning output showing boot identity file locations

Notes

Even if WebLogic later encrypts the file contents, boot identity files in backups or images remain sensitive operational credentials.

03

Credential Mapping / Data Source Secret

oracle-weblogic / credential-mapping-secret

WebLogic security includes credential mapping providers and supports stored credentials for data sources, JMS, and outbound resources. WebLogic protects passwords in configuration but they remain sensitive deployment secrets.

user definedsecretsecret value

Location

config file

config.xml, JDBC data source descriptors, JMS modules, and deployment plans

secret store

WebLogic credential stores, domain encryption key material, Kubernetes Secrets, and vaults

source code

domain templates, WLST scripts, and committed deployment plans

artifact

domain backups and container images containing encrypted configuration

Notes

Domain encryption key material plus encrypted configuration can expose downstream database, LDAP, JMS, and service credentials.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.