E-Arogya

31- Username and Password field with auto-complete
CWE : CWE-16
Description :
The Web form contains passwords or other sensitive text fields for which the browser
auto-complete feature is enabled. Auto-complete stores completed form field and
passwords locally in the browser, so that these fields are filled automatically when the
user visits the site again.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
Data entered in these fields will be cached by the browser. An attacker who can access
the victim's browser could steal this information.
Recommendation :
The autocomplete value can be configured in two different locations.
The first and most secure location is to disable the autocomplete attribute on the
"form" HTML tag. This will disable autocomplete for all inputs within that form.
An example of disabling autocomplete within the form tag is:
"form autocomplete=off".
The second slightly less desirable option is to disable the autocomplete attribute
for a specific "input" HTML tag. While this may be the less desired solution from a
security perspective, it may be preferred method for usability reasons, depending
on size of the form. An example of disabling the autocomplete attribute within a
password input tag is
"input type=password autocomplete=off".
Evidence/Proof Of Concept :
Step 1: It was observed that 'Auto-complete=off' was not implemented in the username field
as shown in below screenshot

Step 2: It was observed that 'Auto-complete=off' was not implemented in password fields, as
shown in below screenshot