Autocomplete Enabled for Sensitive Fields

ID

html.autocomplete_enabled_for_sensitive_fields

Severity

high

Resource

Information Leak

Language

Html

Tags

CWE:522, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.4, PCI-DSS:6.5.6

Description

This rule identifies HTML input fields containing sensitive data (such as passwords, credit card numbers, or personal identification information) that have autocomplete enabled or lack the autocomplete="off" attribute. Browser autocomplete features cache form data locally, creating a significant security risk on shared or compromised devices.

Rationale

Autocomplete is a convenience feature that stores previously entered form data in the browser’s cache. While useful for benign information, it poses severe security risks for sensitive fields:

Shared Device Exposure: On public computers, kiosks, or shared workstations, autocomplete suggestions expose sensitive data to subsequent users who access the same form fields.

Malware Extraction: Malicious software can programmatically access browser autocomplete caches to harvest credentials, payment information, and personal data without user interaction.

Physical Device Access: If a device is lost, stolen, or temporarily unattended, anyone with physical access can view autocomplete suggestions by simply clicking on form fields.

Session Hijacking Risk: Autocomplete data persists across sessions, potentially exposing information long after a user believes they’ve logged out or cleared their session.

Consider the following code:

<input type="password" name="password" />

<input type="text" name="credit-card" placeholder="Card Number" />

<input type="text" name="ssn" placeholder="Social Security Number" />

<input type="text" name="account-number" />

These fields will store entered values in the browser’s autocomplete cache, making them accessible via: - Browser autocomplete dropdown menus - Browser settings/preferences interfaces - Malware scanning browser data stores - Forensic analysis tools on compromised devices

Remediation

Explicitly disable autocomplete for all sensitive input fields using the autocomplete="off" attribute. For enhanced security, consider using more specific autocomplete tokens as defined in the HTML specification.

Corrected Example:

<input type="password"
       name="password"
       autocomplete="off" />

<input type="text"
       name="credit-card"
       placeholder="Card Number"
       autocomplete="off"
       inputmode="numeric" />

<input type="text"
       name="ssn"
       placeholder="Social Security Number"
       autocomplete="off" />

<input type="text"
       name="account-number"
       autocomplete="off" />

Enhanced approach using specific autocomplete tokens:

<!-- Use specific tokens that don't trigger caching -->
<input type="password"
       name="current-password"
       autocomplete="current-password" />

<input type="text"
       name="cc-number"
       autocomplete="cc-number"
       inputmode="numeric" />

Important Notes:

  • Modern browsers may ignore autocomplete="off" for password fields to support password managers. For true sensitive data like credit cards or SSNs, this attribute is more reliably respected.

  • For password fields, consider using autocomplete="new-password" for registration forms and autocomplete="current-password" for login forms.

References