Rapid7 Vulnerability & Exploit Database

Autocomplete enabled for sensitive HTML form fields

Back to Search

Autocomplete enabled for sensitive HTML form fields

Severity
3
CVSS
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
Published
04/01/2011
Created
07/25/2018
Added
04/01/2011
Modified
10/01/2019

Description

The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again.

Sensitive data and passwords can be stolen if the user's system is compromised.

Note, however, that form auto-complete is a non-standard, browser-side feature that each browser handles differently. Opera, for example, disregards the feature, requiring the user to enter credentials for each Web site visit.

Solution(s)

  • webspider-disable-autocomplete-form

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;