Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #339146
Closed
Open
Issue created Aug 23, 2021 by James Ritchey@jritcheyDeveloper

Annual pentest finding (2021) - Autocomplete Enabled

Location

• https://gitlab.com/users/password/new (user_email) 
• https://gitlab.com/users/sign_in (user_login) 
• https://gitlab.com/users/sign_in (user_password) 
• https://gitlab.com/users/sign_up (new_user_first_name) 
• https://gitlab.com/users/sign_up (new_user_last_name) 
• https://gitlab.com/users/sign_up (new_user_username) 
• https://gitlab.com/users/sign_up (new_user_email) 
• https://gitlab.com/users/sign_up (new_user_password) 
• https://gitlab.com/users/confirmation/new (user_email) 
• https://gitlab.com/groups/new#import-group-pane (bulk_import_gitlab_access_token) 

Impact

Sensitive data such as usernames, passwords, and access tokens could be retrieved locally via the browser’s history if the local user’s system is compromised.

Description

The autocomplete function, implemented by many popular browsers, allows a user the option of storing form field values so that the browser can automatically populate the same fields of a form later. Although this feature can be a convenience for users of the application, it creates a security risk, as sensitive user data such as username, password, and access tokens were stored locally and may be recovered if an attacker is able to gain access to the workstation, or through exploitation of a cross-site scripting vulnerability. Gitlab.com did not set the autocomplete attribute to OFF on form fields containing sensitive data.

Recommendation

Forms containing sensitive information should have the autocomplete option disabled on both the form and the sensitive fields.16, 17 For example:

<form autocomplete="off"> 
… 
<input type="text" name="user_email" autocomplete="off"> 
<input type="text" name="user_login" autocomplete="off"> 
… 
</form> 

Although the recent versions of most of modern browsers do not respect the autocomplete attribute for the fields of type “password”, it is still recommended that this practice should be followed as users could have changed their browsers’ policies to respect this attribute.

Edited Aug 23, 2021 by James Ritchey
Assignee
Assign to
Time tracking