- Test for Vulnerable Remember Password (WSTG-AUTN-05)
- Password field with autocomplete enabled (PortSwigger)
Check for attribute autocomplete=”off” within the FORM tag.
This is often ignored by the latest web browser versions. This can still be necessary for PCI compliance.
- Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed.
- Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable.
- Verify that the credentials are only sent during the log in phase, and not sent together with every request to the application.
- Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form).