Vulnerability Auto-complete is enabled for sensitive fields

book

Article ID: 209739

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Hi Team,

Our security team reported a vulnerability in 6.6 & 6.7 version which is around "Auto-complete is enabled for sensitive fields" and they are suggesting to use auto-complete="off" something like below configuration

<asp:TextBox ID="txtPswd" TabIndex="3" runat="server" Width="150px" CssClass="bdr" MaxLength="15" TextMode="New_Password" autocomplete="off" AutoCompleteType="disabled" ReadOnly onfocus="this.removeAttribute('readonly');"></asp:TextBox>

Kindly help us to resolve the same.

Environment

Release : 6.6, 6.7

Component : CA RELEASE AUTOMATION CORE

Resolution

RA security experts reviewed the vulnerability reported and they rejects the vulnerability i.e. "Auto-completion of sensitive fields (Login Page)" as a false alert at product end. Please find the cause for rejection.

- AutoCompleteType="disabled" - this property only for ASP pages, we don't use this technology in our web application.

- ReadOnly onfocus="this.removeAttribute('readonly'); - it does not affect offers from browser to autocomplete saved password.

There is only one html attribute "autocomplete" that we can use for disable auto-filling password field from the browser side:

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#the_autocomplete_attribute_and_login_fields

The screen shot, is the one which is from browser save password utility. This features should be managed and disabled by administrators maintaining browser configuration at system level.

Feedback

thumb_up Yes

thumb_down No