Annual pentest finding (2021) - Autocomplete Enabled
• https://gitlab.com/users/password/new (user_email) • https://gitlab.com/users/sign_in (user_login) • https://gitlab.com/users/sign_in (user_password) • https://gitlab.com/users/sign_up (new_user_first_name) • https://gitlab.com/users/sign_up (new_user_last_name) • https://gitlab.com/users/sign_up (new_user_username) • https://gitlab.com/users/sign_up (new_user_email) • https://gitlab.com/users/sign_up (new_user_password) • https://gitlab.com/users/confirmation/new (user_email) • https://gitlab.com/groups/new#import-group-pane (bulk_import_gitlab_access_token)
Sensitive data such as usernames, passwords, and access tokens could be retrieved locally via the browser’s history if the local user’s system is compromised.
The autocomplete function, implemented by many popular browsers, allows a user the option of storing form field values so that the browser can automatically populate the same fields of a form later. Although this feature can be a convenience for users of the application, it creates a security risk, as sensitive user data such as username, password, and access tokens were stored locally and may be recovered if an attacker is able to gain access to the workstation, or through exploitation of a cross-site scripting vulnerability. Gitlab.com did not set the autocomplete attribute to OFF on form fields containing sensitive data.
Forms containing sensitive information should have the autocomplete option disabled on both the form and the sensitive fields.16, 17 For example:
<form autocomplete="off"> … <input type="text" name="user_email" autocomplete="off"> <input type="text" name="user_login" autocomplete="off"> … </form>
Although the recent versions of most of modern browsers do not respect the autocomplete attribute for the fields of type “password”, it is still recommended that this practice should be followed as users could have changed their browsers’ policies to respect this attribute.