Question
ING Belgium SA NV
BE
Last activity: 5 Feb 2018 5:48 EST
Security issues after Pen test -Password field with autocomplete enabled
Hi,
Please find details for security issue during Pen test,
Description : Password field with autocomplete enabled.
Mitigation step :
"To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete=""off"" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Please note that modern web browsers may ignore this directive. In spite of this there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance."
i checked the pdn for the same, but didnt get find anything.
Is it something that i can set the autocomplete attribute globally or any DASS settings? could you please advise on this?
Accepted Solution
Pegasystems Inc.
IN
Hi,
You have to change the autocomplete value to "new-password" in the form tag of login screen(OOTB login screen that comes with Pega is web-Login)
In OOTB web-login, we have to change this tag,
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="off" >
to
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="new-password" >
If you are using custom login page or custom html rule for login page, change the value of autocomplete attribute in the form tag of the html code.
see https://www.tutorialspoint.com/html/html_form_tag.htm
Pegasystems Inc.
IN
Hi,
To disable autocomplete on login screen, we have customize the web-login html rule.
Please follow this PDN article to customize login screen.
https://docs-previous.pega.com/customizing-pega-7-login-screen
See this form tag in the web-login html which already has autocomplete="off" in it.
Ideally, the browser must not automatically complete entries/fields if we have this setting in form tag.
See https://www.w3schools.com/tags/att_form_autocomplete.asp
Even in my local, I am seeing that browser is still auto completing password/username field ignoring the autocomplete="off" setting in form field.
See below article which mentions that most of the modern browsers are ignoring this setting suggesting to use other setting which is autocomplete="new-password"
https://github.com/mailwatch/MailWatch/issues/383
https://stackoverflow.com/questions/12374442/chrome-ignores-autocomplete-off
Please customize the login screen by customizing the web-login html rule to solve the purpose.
This is nothing to do with any system setting or DSS. You have to customize the login screen.
Thank you,
Adithya
Ernst & Young
LU
Hi Adithya,
Thanks for your reply. As I don't have any HTML hands on experience, not sure were I could add the HTML tag,
<div id="credentials">
<div class="field user">
<label><span class="screen-reader-text"><pega:lookup property="pxRequestor.pyCaption" value="User Name" /></span></label>
<input id="txtUserID" class="inputBox" type="text" placeholder='<pega:lookup property="pxRequestor.pyCaption" value="User Name" />' name="UserIdentifier" value="" size="20" maxlength="128" tabIndex=1 />
</div>
<div class="field password">
<label><span class="screen-reader-text"><pega:lookup property="pxRequestor.pyCaption" value="Password" /></span></label>
<input id="txtPassword" class="inputBox" type="password" placeholder='<pega:lookup property="pxRequestor.pyCaption" value="Password" />' name="Password" value="" size="20" tabIndex=2 />
</div>
Hi Adithya,
Thanks for your reply. As I don't have any HTML hands on experience, not sure were I could add the HTML tag,
<div id="credentials">
<div class="field user">
<label><span class="screen-reader-text"><pega:lookup property="pxRequestor.pyCaption" value="User Name" /></span></label>
<input id="txtUserID" class="inputBox" type="text" placeholder='<pega:lookup property="pxRequestor.pyCaption" value="User Name" />' name="UserIdentifier" value="" size="20" maxlength="128" tabIndex=1 />
</div>
<div class="field password">
<label><span class="screen-reader-text"><pega:lookup property="pxRequestor.pyCaption" value="Password" /></span></label>
<input id="txtPassword" class="inputBox" type="password" placeholder='<pega:lookup property="pxRequestor.pyCaption" value="Password" />' name="Password" value="" size="20" tabIndex=2 />
</div>
could you please advise where could I plug "<form action="/action_page.php" method="get" autocomplete="on">" in web-login section? It is because trial and error affects the productivity of other developers.
Also, advise how would I revert the changes if anything goes wrong in worst case?
Accepted Solution
Pegasystems Inc.
IN
Hi,
You have to change the autocomplete value to "new-password" in the form tag of login screen(OOTB login screen that comes with Pega is web-Login)
In OOTB web-login, we have to change this tag,
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="off" >
to
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="new-password" >
If you are using custom login page or custom html rule for login page, change the value of autocomplete attribute in the form tag of the html code.
see https://www.tutorialspoint.com/html/html_form_tag.htm