lolcreds

Public credential defaults and exposure patterns for authorized security testing.

SAP Hybris / SAP Commerce

SAPenterprise app4 credentials1 default credential

Credentials4 documented
01

Local Development Admin Console Credential

sap-hybris / admin-console-default

SAP Commerce/Hybris development and accelerator setups commonly include local administrative users for HAC, backoffice, and administration consoles. Production deployments should change seeded/demo credentials and rely on configured identity stores.

static defaultuser definedsecretusername/password

Default credentials

admin:nimda

Location

public interface
Hybris Administration Console, Backoffice, SmartEdit, OCC, and storefront login
database

SAP Commerce user model tables and password hash fields

config file

local.properties, project.properties, impex seed data, and deployment configs

artifact

database dumps, initialization exports, and environment backups

Notes

admin/nimda is modeled as a common seeded/development credential; do not assume it is valid for hardened production Commerce Cloud deployments.

02

Customer / Employee Password Hash

sap-hybris / user-password-hash

SAP Commerce stores employee, administrator, and customer account password hashes in the platform database.

user definedgenerated on installsecretusername/password

Location

database

SAP Commerce user/customer/employee item tables and credential attributes

public interface
storefront, OCC APIs, Backoffice, HAC, and SmartEdit
source code

impex files, sample data, integration tests, and initialization scripts

artifact

database dumps and system copies

03

OAuth / OCC Client Secret

sap-hybris / oauth-client-secret

SAP Commerce OAuth2/OCC integrations use client IDs, client secrets, access tokens, and refresh tokens for API access.

generated on installuser definedsecretsecret value

Location

http header
Authorization

Bearer token or Basic client credentials used for OCC/OAuth requests

database

OAuth client details, access token, and refresh token storage

config file

local.properties, extension config, manifest secrets, and API client configs

environment
HYBRIS_CLIENT_SECRET, SAP_COMMERCE_CLIENT_SECRET, OCC_CLIENT_SECRET
secret store

Commerce Cloud portal variables, Kubernetes Secrets, and vaults

source code

integration clients and tests

logs

OAuth debug logs and API traces

04

Database, Mail, Search, and Integration Secrets

sap-hybris / database-mail-integration-secrets

SAP Commerce configuration contains database passwords, SMTP passwords, Solr credentials, payment provider secrets, SSO/SAML keys, and extension-specific integration tokens.

user definedgenerated on installsecretsecret value

Looks like

pattern
pattern

SAP Commerce properties line carrying a password or secret

(?i)^(db\.password|mail\.smtp\.password|.*\.secret|.*\.password)\s*=\s*.+$

Location

config file
local.properties, project.properties, manifest.json

runtime and extension secret configuration

secret store

SAP Commerce Cloud variables, vaults, and Kubernetes/Docker secrets

source code

extension properties, impex, deployment templates, and CI variables

logs

startup, integration, and payment/debug logs

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.