Autocomplete Enabled

Overview of the Vulnerability

Browsers implement features such as autocomplete to offer form filling features for end users. Autocomplete is an HTML attribute that saves previously entered text within the input Document Object Model (DOM) fields. An attacker can leverage the cached input for this application locally to login as a user or expose critical pieces of data.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.

Steps to Reproduce

Use a browser to navigate to: {{URL}}
Enter text within the input field and submit the form
Use Inspect from the developer tools to verify the input parameter has autocomplete=on
{{action}} to see the text saved into the input field

Proof of Concept (PoC)

The screenshots below demonstrate the autocomplete enabled:

Recommendation(s)

To limit the caching of sensitive data, it is recommended to adjust forms with sensitive input parameters to have autocomplete=off enabled.

PreviousAggressive Offline Caching NextAutocorrect Enabled

Last updated 1 year ago