How to remediate – Password Field With Auto-Complete

1. Introduction

The Password Field With Auto-Complete vulnerability occurs when web applications do not disable browser auto-completion on password fields. This allows a user’s previously entered credentials to be automatically filled in by the browser, potentially exposing them to anyone with access to that computer. It mainly affects typical form-based web applications and could lead to compromise of confidentiality if an attacker gains physical access to a logged-in machine.

2. Technical Explanation

The root cause is developers allowing the browser’s default auto-complete functionality on password fields within HTML forms. This means browsers cache entered values, making them available for re-use. An attacker gaining access to a victim’s computer could then have their credentials automatically submitted to the affected page when they visit it. The Common Weakness Enumeration (CWE) identifier is 16: Configuration.

• Root cause: Lack of disabling the `autocomplete` attribute on password fields within HTML forms.
• Exploit mechanism: An attacker with access to a victim’s computer visits the affected web page, triggering auto-completion of username and/or password fields.
• Scope: Web applications using standard HTML form elements without explicit auto-complete control.

3. Detection and Assessment

You can confirm this vulnerability by inspecting the HTML source code of login forms. A thorough method involves automated scanning tools.

• Quick checks: View the page source in a browser (right click, ‘View Page Source’) and search for `
• Scanning: Burp Suite or OWASP ZAP can identify this issue using their built-in vulnerability scanners. Look for the “Autocomplete on Password Field” scan result.

4. Solution / Remediation Steps

To fix the issue, disable auto-complete on password fields within HTML forms. This can be done either at the form level or individually for each input field.

4.1 Preparation

• Ensure you have access to modify the HTML source code of the affected pages. A roll back plan involves restoring the backed-up code.
• Change windows may be needed depending on your release process, and approval from security teams might be necessary.

4.2 Implementation

1. Step 1: Add `autocomplete=”off”` to the `
   
   ` tag for all login forms.
2. Step 2: Alternatively, add `autocomplete=”off”` to each `` tag within the form.

4.3 Config or Code Example

Before

<form>
  <input type="password" name="password">
</form>

After

<form autocomplete="off">
  <input type="password" name="password">
</form>

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege reduces the impact of a successful exploit, and secure defaults minimise configuration errors. Input validation is also important.

• Practice 1: Least Privilege – Limit user accounts’ access rights to reduce potential damage if credentials are compromised.
• Practice 2: Secure Defaults – Configure systems with the most restrictive settings by default, disabling unnecessary features like auto-complete where possible.

4.5 Automation (Optional)

Automated code scanning tools can be used to identify and fix this issue across multiple applications.

# Example Bash script snippet for searching HTML files:
find /path/to/web/files -name "*.html" -exec grep -q 'autocomplete' {} ; -print

5. Verification / Validation

Confirm the fix by inspecting the updated HTML source code and re-running detection methods. A smoke test should verify normal login functionality remains intact.

• Post-fix check: View the page source in a browser and confirm `
  ` or `` is present.
• Re-test: Re-run the scanner (Burp Suite, OWASP ZAP) to verify the vulnerability is no longer reported.
• Smoke test: Log in with a valid user account to confirm login functionality works as expected.

6. Preventive Measures and Monitoring

Update security baselines to include this check, and add automated checks in your CI/CD pipelines. Regular patch reviews are also important.

• Baselines: Update your web application security baseline to require disabling auto-complete on password fields.
• Pipelines: Integrate SAST tools into your CI/CD pipeline to automatically scan for this vulnerability during code commits.
• Asset and patch process: Implement a regular review cycle for web application configurations, including checking for insecure auto-complete settings.

7. Risks, Side Effects, and Roll Back

Disabling auto-complete may slightly reduce user convenience. If issues arise, restore the backed-up code to revert the changes.

• Risk or side effect 1: Users might find it less convenient to re-enter credentials each time.
• Roll back: Restore the original HTML files from your backup.

8. References and Resources

• Vendor advisory or bulletin: N/A
• NVD or CVE entry: http://cwe.mitre.org/data/definitions/16
• Product or platform documentation relevant to the fix: https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005)