You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We observed 3 pages which contained form elements that did not have autocomplete set to off:
/WebGoat/login
/WebGoat/HttpBasics.lesson.lesson
/WebGoat/CrossSiteScripting.lesson.lesson
Risk
Any <form> tags without the autocomplete attribute set to off allow user
agents to automatically save user credentials. Even if individual fields have autocomplete
disabled, it is a safer practice to cover the entire <form>.
Recommendation to fix this finding
Disabling autocomplete on form values is easy. All you have to do is add an autocomplete attribute
with a setting of off, as is shown in the password field of this example:
Trace UUID: P7M8-2H4O-S7L4-HT3R
https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/f7ea7169-d4eb-42c4-b32e-5c0ea0ca9733/vulns/P7M8-2H4O-S7L4-HT3R/overview
Description
We observed 3 pages which contained form elements that did not have autocomplete set to off:
Risk
Any <form> tags without the autocomplete attribute set to off allow user
agents to automatically save user credentials. Even if individual fields have autocomplete
disabled, it is a safer practice to cover the entire <form>.
Recommendation to fix this finding
Disabling
autocompleteon form values is easy. All you have to do is add anautocompleteattributewith a setting of
off, as is shown in the password field of this example:<form action="/login" "method="POST">
<input type="text" name="username">
<input type="password" name="userpass" autocomplete="off">
</form>
However, to prevent Contrast from flagging the form, you should disable
autocompleteon the entire<form>, as shown here:<form action="/login" "method="POST" autocomplete="off">
<input type="text" name="username">
<input type="password" name="userpass">
The text was updated successfully, but these errors were encountered: