Security issues after Pen test -Password field with autocomplete enabled

Question

Replies

766

Views

NagarajP0101

Member since 2017

54 posts

ING Belgium SA NV

Posted: February 1, 2018

Last activity: February 5, 2018

Posted: 1 Feb 2018 8:32 EST
Last activity: 5 Feb 2018 5:48 EST

Closed

Solved

Security issues after Pen test -Password field with autocomplete enabled

Hi,

Please find details for security issue during Pen test,

Description : Password field with autocomplete enabled.

Mitigation step :
"To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete=""off"" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Please note that modern web browsers may ignore this directive. In spite of this there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance."

i checked the pdn for the same, but didnt get find anything.

Is it something that i can set the autocomplete attribute globally or any DASS settings? could you please advise on this?

DevOps

Moderation Team has archived post,

This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.

Posted: 3 years ago

Posted: 2 Feb 2018 3:59 EST

Adithya1

PEGA

replied to NagarajP0101

Hi,

To disable autocomplete on login screen, we have customize the web-login html rule.

Please follow this PDN article to customize login screen.

https://docs.pega.com/customizing-pega-7-login-screen

See this form tag in the web-login html which already has autocomplete="off" in it.

Ideally, the browser must not automatically complete entries/fields if we have this setting in form tag.

See https://www.w3schools.com/tags/att_form_autocomplete.asp

Even in my local, I am seeing that browser is still auto completing password/username field ignoring the autocomplete="off" setting in form field.

See below article which mentions that most of the modern browsers are ignoring this setting suggesting to use other setting which is autocomplete="new-password"

https://github.com/mailwatch/MailWatch/issues/383

https://stackoverflow.com/questions/12374442/chrome-ignores-autocomplete-off

Please customize the login screen by customizing the web-login html rule to solve the purpose.

This is nothing to do with any system setting or DSS. You have to customize the login screen.

Thank you,

Adithya

Posted: 3 years ago

Posted: 2 Feb 2018 5:40 EST

Ponnurangam

Tata Consultancy services

replied to Adithya1

Hi Adithya,

Thanks for your reply. As I don't have any HTML hands on experience, not sure were I could add the HTML tag,

<div id="credentials">

                        <div class="field user">

                            <label><span class="screen-reader-text"><pega:lookup property="pxRequestor.pyCaption" value="User Name" /></span></label>

                            <input id="txtUserID" class="inputBox" type="text" placeholder='<pega:lookup property="pxRequestor.pyCaption" value="User Name" />' name="UserIdentifier" value="" size="20" maxlength="128" tabIndex=1 />

                        </div>

                        <div class="field password">

                            <label><span class="screen-reader-text"><pega:lookup property="pxRequestor.pyCaption" value="Password" /></span></label>

                            <input id="txtPassword" class="inputBox" type="password" placeholder='<pega:lookup property="pxRequestor.pyCaption" value="Password" />' name="Password" value="" size="20" tabIndex=2 />

                        </div>

Hi Adithya,

Thanks for your reply. As I don't have any HTML hands on experience, not sure were I could add the HTML tag,

could you please advise where could I plug "<form action="/action_page.php" method="get" autocomplete="on">" in web-login section? It is because trial and error affects the productivity of other developers.

Also, advise how would I revert the changes if anything goes wrong in worst case?

Show Less

Accepted Solution

Posted: 3 years ago

Posted: 5 Feb 2018 5:12 EST

Adithya1

PEGA

replied to NagarajP0101

Hi,

You have to change the autocomplete value to "new-password" in the form tag of login screen(OOTB login screen that comes with Pega is web-Login)

In OOTB web-login, we have to change this tag,

<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="off" >

If you are using custom login page or custom html rule for login page, change the value of autocomplete attribute in the form tag of the html code.

see https://www.tutorialspoint.com/html/html_form_tag.htm

Posted: 3 years ago

Posted: 5 Feb 2018 5:48 EST

NagarajP0101

ING Belgium SA NV

replied to Adithya1

Thanks :) I will implement the same

Get Started with Community

Question

Security issues after Pen test -Password field with autocomplete enabled

About Pegasystems

Question

Security issues after Pen test -Password field with autocomplete enabled

Related content:

About Pegasystems

We'd prefer it if you saw us at our best.