Web Server allows Auto-Completion - Can this be disabled?
search cancel

Web Server allows Auto-Completion - Can this be disabled?

book

Article ID: 260004

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Penetration Test Penetration Test Found: 'Web Server Allows Password Auto-Completion'

Instance Detail:
The 'autocomplete' attribute is not disabled on password fields. Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials 

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt"  pattern="%l %u %t %r %s %b %D" resolveHosts="false"></Valve>
        <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"></Valve>
      </Host>
    </Engine>
    <Connector port="8443" address="xx.xx.xx.xx" enableLookups="true" autocomplete="off" disableUploadTimeout="true" tcpNoDelay="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" keystoreFile="/spectrum/custom/keystore/cacerts" keystorePass="Nocnesm4"></Connector>

Environment

Release : 22.2

Cause

Various Penetration Testing utilities will trigger on this finding.

Resolution

This only prevents the browser from auto completing passwords and various other fields on the webpages it services.

This will have no effect on the functionality of the DX NetOps Spectrum product.