Vulnerability Auto-complete is enabled for sensitive fields

book

Article ID: 209739

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Hi Team,

Our security team reported a vulnerability in 6.6 &  6.7 version which is around "Auto-complete is enabled for sensitive fields" and they are suggesting to use auto-complete="off" something like below configuration

<asp:TextBox ID="txtPswd" TabIndex="3" runat="server" Width="150px" CssClass="bdr" MaxLength="15" TextMode="New_Password" autocomplete="off" AutoCompleteType="disabled" ReadOnly onfocus="this.removeAttribute('readonly');"></asp:TextBox>

 

Kindly help us to resolve the same.

 

Environment

Release : 6.6, 6.7

Component : CA RELEASE AUTOMATION CORE

Resolution

RA security experts reviewed the vulnerability reported and they rejects the vulnerability i.e. "Auto-completion of sensitive fields (Login Page)" as a false alert at product end. Please find the cause for rejection.

 - AutoCompleteType="disabled" - this property only for ASP pages, we don't use this technology in our web application.
 - ReadOnly onfocus="this.removeAttribute('readonly'); - it does not affect offers from browser to autocomplete saved password.
 
There is only one html attribute "autocomplete" that we can use for disable auto-filling password field from the browser side: 

The screen shot, is the one which is from browser save password utility. This  features should be managed and disabled by administrators maintaining browser configuration at system level.