Auto complete not disabled

OWASP 2013-A5 OWASP 2017-A6 CWE-200 WASC-15

The Auto Complete Not Disabled is a medium risk vulnerability that has the potential to leak sensitive information like credit card details, passwords and many more. If the developer omits AutoComplete=off to the input fields might have serious outcomes to the end users. All browsers have a feature by which, the browser can save login credentials for different websites. The browser caches the data and saves locally and in the cloud. If the cloud or the local computer gets compromised to the attacker, he could reuse these credentials to perform attacks on the victim user. This potential vulnerability can be fixed if the developer adds AutoComplete=off to all the input fields.

Example

The following is an example of a vulnerable input field.

        <INPUT TYPE="password" AUTOCOMPLETE="on">

    

Impact

If the browser or the cloud in which the credentials are saved gets compromised. The attacker can also:-

  • perform major data breach about user credentials.
  • manipulate any information using these credentials.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Turn off the AUTOCOMPLETE attribute in an input element that is used for passwords or contains sensitive information.
        <INPUT TYPE="password" autocomplete="off">

    

Latest Articles