icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

AutoComplete Not Disabled for 'Password' Field

Medium

Synopsis

The remote web application server may be prone to a policy violation.

Description

The remote web server is hosting a form that calls for a user password. However, the 'AutoComplete' functionality has not been disabled for the password. When AutoComplete is enabled, the client machine will store the form data for future use. This can be very dangerous as attackers can target confidential data that has been stored on the client computer.

Note : As of Internet Explorer 11, the 'autocomplete' property is no longer supported for 'input type=password' fields.

Solution

Set Autocomplete="OFF" within the web form. Any value other than "off" will result in AutoComplete being enabled. \n\nNote : PVS only reports on the first occurence of this item on a web server. The entire web source should be parsed for similar occurrences.