Password autocomplete in browser

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nessus will report this issue during your scanning phase.




The Web form contains passwords or other sensitive text fields
for which the browser auto-complete feature is enabled. Auto
complete stores completed form field and passwords locally in
the browser, so that these fields are filled automatically when
the user visits the site again.
Sensitive data and passwords can be stolen if the user’s
system is compromised.
Note, however, that form auto-complete is a non-standard,
browser-side feature that each browser handles differently.
Opera, for example, disregards the feature, requiring the user
to enter credentials for each Web site visit.


Turn off AUTOCOMPLETE attribute in form or individual input
elements containing password by using AUTOCOMPLETE=’OFF’


Nessus Output

Web Server Allows Password Auto-Completion
Plugin ID:  42057


The remote web server contains at least one HTML form field that has an input of type ‘password’ where ‘autocomplete’ is not set to ‘off’.
While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or if their machine is compromised at some point.


Add the attribute ‘autocomplete=off’ to these fields to prevent browsers from caching credentials.