Autocomplete enables in login form

Description

In most web browsers, a user can save the username and password entered in HTML forms.

Bussines Impact

Some data that is submitted in forms could contain sensitive information (for example, credit card security code).

As a website author, you might prefer that the browser not remember the values for such fields, even if the browser’s autocomplete feature is enabled.

an attacker who found vulnerabilities in applications related to this site, such as Cross-Site Scripting, could exploit it to recover browser credentials.

Recommendation

Make sure to add to the form autocomplete=”off” to prevent this finding from happening in the future.

More Details

This function can be defined by the user as well as by applications that use user credentials. If the function is enabled, the user credentials will be saved on the local server and can be retrieved by the attacker.

Reference

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 9000 vulnerabilities.Kayran’s mission is to make

Read More »

Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing. We

Read More »