Configuration Management / Password Field with Autocomplete Enabled

Description

Password field with autocomplete enabled is a vulnerability related to Configuration Management (CWE-327). It occurs when the web application or API stores user passwords in the web browser's local storage, allowing the browser to autocomplete the password field when the user visits the page again. This can be a security risk because it allows for the passwords to be easily obtained by malicious actors. According to the OWASP Testing Guide, the test for this vulnerability is to check if the password fields are disabled for autocomplete.

Risk

This vulnerability can be exploited by malicious actors to gain access to user passwords, which can then be used to gain access to the system. According to the Common Vulnerability Scoring System (CVSS), this issue is considered to be of medium risk with a score of 6.5.

Solution

The best solution to this vulnerability is to disable the autocomplete feature for password fields in the web application or API. This can be done by adding the attribute "autocomplete="off" to the password field. Additionally, a server-side authentication solution should be implemented to ensure that only authenticated users can access the system.