Security Test: Password Field Autocompletion¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

Password field autocompletion occurs when browsers are allowed to automatically fill in password fields with previously stored credentials. While this feature improves user experience, it poses a security risk as stored credentials could be accessed by malicious scripts, browser extensions, or other users who gain access to the device. If an attacker can execute JavaScript on the page or access the browser's stored data, they may be able to extract these saved passwords. Additionally, shared computers or devices could expose sensitive credentials to unauthorized users. The risk is particularly high in environments where multiple users access the same device or where security policies require strict credential management.

Reference:

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
- https://www.w3.org/TR/WCAG21/#input-purposes
- https://html.spec.whatwg.org/multipage/forms.html#autofill

Configuration¶

Identifier: frontend_information_disclosure/password_field_autocompletion

Examples¶

All configuration available:

checks:
  frontend_information_disclosure/password_field_autocompletion:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	A07:2021
PCI DSS	`8.2`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.9.4`
NIST	`IA-5`
FedRAMP	`IA-5`
CWE	`522`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C`
CVSS Score	`4.3`