Web Server Allows Password Auto-Completion

low Nessus Plugin ID 42057

Language:

Synopsis

The 'autocomplete' attribute is not disabled on password fields.

Description

The remote web server contains at least one HTML form field that has an input of type 'password' where 'autocomplete' is not set to 'off'.

While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or if their machine is compromised at some point.

Solution

Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.

Plugin Details

Severity: Low

ID: 42057

File Name: www_autocomplete_passwords.nasl

Version: 1.11

Type: remote

Family: Web Servers

Published: 10/7/2009

Updated: 7/17/2023

Supported Sensors: Nessus

Detections

Analytics