Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-13983

[Web] - Password field with autocomplete enabled on Login page

    XMLWordPrintable

Details

    • 1
    • Horizon 22 - Jul 7 - Jul 21
    • NB

    Description

      Overview

      Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user. Additionally some websites will offer custom "remember me" functionality to allow users to persist log ins on a specific client system.

      Having the browser store passwords is not only a convenience for end-users, but also for an attacker. If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password.

      Browser URL

      https://onmspentest.eastus.cloudapp.azure.com/opennms/login.jsp

      Steps To Reproduce

      • While logging in, make sure you allow the browser to save the password.
      • Observe the login page upon logout and note that the current password field is already filled in with the saved password due to password autocomplete enabled.

      ![Snip20220205_449.png](https://api.cobalt.io/v1/attachments/att_XMcUzCE/preview)

      ![Snip20220205_452.png](https://api.cobalt.io/v1/attachments/att_WDyZfqI/preview)

      Suggested Fix

      • As a best practice, do not have Autocomplete enabled by default.
      • To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete=" off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
      • Please note that modern web browsers may ignore this directive. In spite of this, there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance.

      Cobalt URL

      #PT9265_8

      Attachments

        Activity

          People

            lschreiber Lars Schreiber
            cobalt Cobalt IO
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: