Information Disclosure: Password Field Autocompletion¶
Identifier:
password_field_autocompletion
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner |
|---|---|---|
Description¶
Password field autocompletion occurs when browsers are allowed to automatically fill in password fields with previously stored credentials. While this feature improves user experience, it poses a security risk as stored credentials could be accessed by malicious scripts, browser extensions, or other users who gain access to the device. If an attacker can execute JavaScript on the page or access the browser's stored data, they may be able to extract these saved passwords. Additionally, shared computers or devices could expose sensitive credentials to unauthorized users. The risk is particularly high in environments where multiple users access the same device or where security policies require strict credential management.
References:
- https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
- https://www.w3.org/TR/WCAG21/#input-purposes
- https://html.spec.whatwg.org/multipage/forms.html#autofill
Configuration¶
Example¶
Example configuration:
---
security_tests:
password_field_autocompletion:
assets_allowed:
- REST
- GRAPHQL
- WEBAPP
skip: false
Reference¶
assets_allowed¶
Type : List[AssetType]*
List of assets that this check will cover.
skip¶
Type : boolean
Skip the test if true.