The application has a form that submits sensitive information to the server. Neither the <form> tag nor the sensitive <input> fields have autocomplete attribute disabled.
Recommendation
Disabling AUTOCOMPLETE form values is easy. All you have to do is add an AUTOCOMPLETE attribute with a setting of OFF, as is shown in the password field of this example:
<form action="/login" "method="POST">
<input type="text" name="username">
<input type="password" name="userpass" autocomplete="off">
</form>
You can also disable AUTOCOMPLETE on an entire <form>:
<form action="/login" "method="POST" autocomplete="off">
<input type="text" name="username">
<input type="password" name="userpass">
</form>
First Event
(no event)
Last Event
(no event)
HTTP Request
GET http://localhost:8080/WebGoat/login HTTP/1.0
Accept-Language: en-US,en;q=0.5
Cookie: JSESSIONID=B73327F913BCE80911DBC6731850CABE; AJS.conglomerate.cookie="|config.sidebar.planNavigator.expanded=true|tabContainer.tabContainer.selectedTab=Capabilities|tabContainer.remote-agents-tabs.selectedTab=Online remote agents"; language=en
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Vulnerability ID: NQAI-OB9N-Z1TW-RCXN
Application Name: WebGoat
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/1f21baa2-741d-47df-a8ea-89ea70b18615/vulns/NQAI-OB9N-Z1TW-RCXN
What Happened?
We observed a page which contained form elements that did not have autocomplete set to off:
/WebGoat/login
<section id="main-content"> <br /><br /> <form method="POST" style="width: 200px;" action="/WebGoat/login"> <div class="form-group"> <label for="exampleInputEmail1">Userna
What's the risk?
The application has a form that submits sensitive information to the server. Neither the <form> tag nor the sensitive <input> fields have autocomplete attribute disabled.
Recommendation
Disabling AUTOCOMPLETE form values is easy. All you have to do is add an AUTOCOMPLETE attribute with a setting of OFF, as is shown in the password field of this example: <form action="/login" "method="POST"> <input type="text" name="username"> <input type="password" name="userpass" autocomplete="off"> </form>
You can also disable AUTOCOMPLETE on an entire <form>: <form action="/login" "method="POST" autocomplete="off"> <input type="text" name="username"> <input type="password" name="userpass"> </form>
First Event
(no event)Last Event
(no event)HTTP Request
GET http://localhost:8080/WebGoat/login HTTP/1.0 Accept-Language: en-US,en;q=0.5 Cookie: JSESSIONID=B73327F913BCE80911DBC6731850CABE; AJS.conglomerate.cookie="|config.sidebar.planNavigator.expanded=true|tabContainer.tabContainer.selectedTab=Capabilities|tabContainer.remote-agents-tabs.selectedTab=Online remote agents"; language=en Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0 Upgrade-Insecure-Requests: 1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
References
https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management