Summary
Sensitive form field has not disabled autocomplete
OWASP A5 Security Misconfiguration
WASC-13 INFORMATION LEAKAGE
CVSS V3 Base 3.7 CVSS V3 Temporal 3.6 CVSS V3 Attack Vector Network
Details
An HTML form that collects sensitive information does not prevent the browser from prompting the user to save the populated values for later reuse. Autocomplete should be turned off for any input that takes sensitive information such as credit card number, CVV2/CVC code, U.S. social security number, etc.
PoC
leantime 2.3.23
Payloads
#1 Request
POST https://leantime-selfhost.com/auth/login
Host: leantime-selfhost.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Accept: /
Content-Type: application/x-www-form-urlencoded
#1 Response
The following password field(s) in the form do not set autocomplete="off":
(Field name: password, Field id: password)
Parent URL of form is: https://leantime-selfhost.com/auth/login?redirect=%2F.
Impact
If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be submitted by an unauthorized user.
Solution
Add the following attribute to the form or input element: autocomplete="off" This attribute prevents the browser from prompting the user to save the populated form values for later reuse. Most browsers no longer honor autocomplete="off" for password input fields. These browsers include Chrome, Firefox, Microsoft Edge, IE, Opera However, there is still an ability to turn off autocomplete through the browser and that is recommended for a shared computing environment. Since the ability to turn autocomplete off for password inputs fields is controlled by the user it is highly recommended for application to enforce strong password rules.
Summary
Sensitive form field has not disabled autocomplete
OWASP A5 Security Misconfiguration
WASC-13 INFORMATION LEAKAGE
CVSS V3 Base 3.7 CVSS V3 Temporal 3.6 CVSS V3 Attack Vector Network
Details
An HTML form that collects sensitive information does not prevent the browser from prompting the user to save the populated values for later reuse. Autocomplete should be turned off for any input that takes sensitive information such as credit card number, CVV2/CVC code, U.S. social security number, etc.
PoC
leantime 2.3.23
Payloads
#1 Request
POST https://leantime-selfhost.com/auth/login
Host: leantime-selfhost.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Accept: /
Content-Type: application/x-www-form-urlencoded
#1 Response
The following password field(s) in the form do not set autocomplete="off":
(Field name: password, Field id: password)
Parent URL of form is: https://leantime-selfhost.com/auth/login?redirect=%2F.
Impact
If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be submitted by an unauthorized user.
Solution
Add the following attribute to the form or input element: autocomplete="off" This attribute prevents the browser from prompting the user to save the populated form values for later reuse. Most browsers no longer honor autocomplete="off" for password input fields. These browsers include Chrome, Firefox, Microsoft Edge, IE, Opera However, there is still an ability to turn off autocomplete through the browser and that is recommended for a shared computing environment. Since the ability to turn autocomplete off for password inputs fields is controlled by the user it is highly recommended for application to enforce strong password rules.