Sumeru Cyber Security
  • Sumeru Cyber Security
  • Workarounds for prevalent vulnerabilities
    • Version Disclosure
    • Host Header Attack
    • HttpOnly and Secure Flag
    • Security Headers
    • Clickjacking
    • Weak Password
    • Username Enumeration
    • jQuery Outdated
    • Cross-Origin Resource Sharing
    • AWS S3 Bucket Misconfiguration
    • Directory Listing
    • Laravel Debug Enabled
    • Autocomplete and Remember Password Enabled
    • Brute Force Attack
    • Cross Site Request Forgery
    • SQL Injection
    • PhpMyAdmin page Available Publicly
    • Implementation of BASIC Authentication
    • Cache Browsing
    • Insecure Direct Object Reference
    • Active mixed content over https
    • Improper forgot password implementation
    • ASP.NET Debug Enabled
    • Sensitive Data Sent in GET Request
    • Weak CAPTCHA Implementation
    • Csv Injection
    • Cross Site Scripting
    • Web Server Robot.txt Information Disclosure
    • SSL Related Issues
    • Local File Inclusion
    • Weak CAPTCHA Implementation
    • Automated Form Submission
    • Php.ini File Available Publicly
    • ITLP
    • Internal Path Disclosure
    • Insecure Direct Object Reference
    • Access Token Not Expiring After Logout
  • OWASP A09-Security Logging and Monitoring Failures
  • OWASP API09-Improper Inventory Management v1.0
Powered by GitBook
On this page
  • Introduction
  • How to Test
  • How to Fix
  • References

Was this helpful?

  1. Workarounds for prevalent vulnerabilities

Autocomplete and Remember Password Enabled

PreviousLaravel Debug EnabledNextBrute Force Attack

Last updated 5 years ago

Was this helpful?

Introduction

Autocomplete is Enabled in one or more of the form fields which might contain sensitive information like "username", "credit card" or "CVV".In case if this this autocompletion option is not enabled when the user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information.This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.

How to Test

when you have a login page in your application ,right click on that then go for inspect elements , then have your pointer arrow at either user name or password and you will be shown a input fields for that particular options , the below screenshot can tell you clearly about that issue.

From the above screenshot you can see that clearly there is no autocomplete option in it.this is how you can check for this autocomplete option.

How to Fix

Add the attribute autocomplete="off" to the form tag or to individual "input" fields. Find all instances of inputs that store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords; however, in most cases this is not recommended.

Re-scan the application after addressing the identified issues to ensure all of the fixes have been applied properly.

References

https://www.valencynetworks.com/kb/how-to-disable-autocomplete.html