Plaintext Password Field
Plaintext Password Field
Overview of the Vulnerability
The password field for the login form of the application reveals the password in plaintext. An attacker with local access can shoulder surf or otherwise tailgate a user and watch them login to the application. From here, an attacker could login as a user to impersonate them or make requests on their behalf.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Enter text within the password field
Use the
Inspecttool to see that the input is shown in plaintext
{{screenshot}}
Proof of Concept (PoC)
The screenshots below demonstrate the password field rendering in plaintext:
{{screenshot}}
Recommendation(s)
The data imputed into a password field should always be obscured and this information should be sent from the client to the server using transport layer encryption. While the typed characters should be obscured as a user types them, it is best practice to include a method for the user to toggle between viewing and hiding the password so that the user can check that they have entered it correctly.
Last updated