Html Form Autocomplete On Sensitive Data
Description
Detects HTML forms that allow browser autocomplete on sensitive input fields like passwords, email addresses, and telephone numbers. When autocomplete is enabled on sensitive fields, browsers may store and suggest this confidential information, potentially exposing it to unauthorized users of shared devices.
Detection Strategy
• Review HTML form elements in the codebase
• Flag forms where autocomplete is not explicitly disabled at the form level (autocomplete!='off')
• Within flagged forms, identify input fields of type password, email, or telephone that don't have autocomplete disabled
• Report a vulnerability for each sensitive input field that allows autocomplete
Vulnerable code example
<!DOCTYPE html>
<html>
<body>
<form action="/login" method="POST">
<label for="username">Username:</label>
<input type="text" id="username" name="username" /> <!-- Non-sensitive field, autocomplete acceptable -->
<label for="password">Password:</label>...✅ Secure code example
<!DOCTYPE html>
<html>
<head>
<!-- Add security headers to prevent caching of sensitive data -->
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
</head>...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.