Return
-
Title
Security scan detects that autocompletion is allowed on password fields -
Description
Security scan reports that the
autocomplete="off"attribute is missing on password input fields.Web Server Allows Password Auto-Completion
The 'autocomplete' attribute is not disabled on password fields.
The remote web server contains at least one HTML form field that has an input of type 'password' where 'autocomplete' is not set to 'off'.
Example pages:
Page : /login/
Destination Page: /login/j_security_check
Page : /console/
Destination Page: /console/j_security_check
Page : /login/common/login.jsp
Destination Page: /login/common/j_security_check
Page : /console/common/login.jsp
Destination Page: /console/common/j_security_check
Page : /login/page
Destination Page: /login/j_security_check
Page : /console/page
Destination Page: /console/j_security_check -
Resolution
This is considered to be a false positive; Foglight includes the
autocomplete="off"attribute in the<form>HTTP elements but is it possible that some security scans are expecting the attribute on the<input>elements.When the attribute is configured in a
<form>element it applies to all the<input>elements within that form.For more information refer to HTML attribute: autocomplete and How to turn off form autocompletion.
Example:
