Detections
Analytics

AutoComplete Not Disabled for 'Password' Field

medium Nessus Network Monitor Plugin ID 2810

Synopsis

The remote web application server may be prone to a policy violation.

Description

The remote web server is hosting a form that calls for a user password. However, the 'AutoComplete' functionality has not been disabled for the password. When AutoComplete is enabled, the client machine will store the form data for future use. This can be very dangerous as attackers can target confidential data that has been stored on the client computer.

Note : As of Internet Explorer 11, the 'autocomplete' property is no longer supported for 'input type=password' fields.

Solution

Set Autocomplete="OFF" within the web form. Any value other than "off" will result in AutoComplete being enabled. \n\nNote : NNM only reports on the first occurence of this item on a web server. The entire web source should be parsed for similar occurrences.

See Also

http://msdn.microsoft.com/en-us/library/ms533486(VS.85).aspx

http://www.nessus.org/u?e5505da9

Plugin Details

Severity: Medium

ID: 2810

Family: Web Servers

Published: 4/1/2015

Updated: 1/16/2019