Information Disclosure: Password Field Autocompletion¶

Identifier: password_field_autocompletion

Scanner(s) Support¶

Description¶

Password field autocompletion allows browsers to automatically fill password fields with stored credentials, which can be accessed by malicious scripts, browser extensions, or unauthorized users on shared devices.

How we test: We analyze HTML forms to detect if password fields have autocomplete attributes disabled. We check for the autocomplete="off" or autocomplete="new-password" attributes on password input fields to ensure browsers are prevented from storing and auto-filling credentials.

References:

• https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
• https://www.w3.org/TR/WCAG21/#input-purposes
• https://html.spec.whatwg.org/multipage/forms.html#autofill

Configuration¶

Example¶

Example configuration:

---
security_tests:
  password_field_autocompletion:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.