Password autocomplete passive scan rule implementation

[Stuart]

Hi all

I was just looking at some of the scan rules and noticed that the password autocomplete scanner implementation seems to be inconsistent with other public information about browser behaviour.

I'm interested to find out why the rule has been implemented in this way, and whether anyone believes it would be worth changing the rule to reflect the documented behaviour of browsers.

Here are two references I've found on Mozilla and Chrome on this topic, in case it helps the discussion:

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/wYGThW5WRrE

My motivation for starting this discussion is:

1. For me to get a better understanding of how this particular rule has evolved and the details behind it, and

2. To reduce the false positives (if that proves to be the case) in test output

Thanks

Stuart

[Simon Bennetts]

From memory I think the original Paros rules used regexes, and I rewrote it when we started using a proper parser in the passive rules. But I've not looked at it for a few years so can believe that its out of fate with modern browser behavior.

What changes are you proposing?
Happy for any rules to change if the changes make sense :)

Cheers,

Simon

[Stuart]

Thanks for responding. Given this rule only considers password input elements, I think it makes sense to remove it entirely.

What do you/others think?

Thanks

Stuart

[kingthorin+owaspzap]

This is one of those topics that can be argued both ways and until everyone is blue in the face.

If the rule is producing False Positives for you then you can disable it. [1]

[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsPscanrules

[Stuart]

Thanks... my concern is that whether the rule is enabled or disabled won't change the browser ignoring whatever you do anyway.

I see two different issues here:

1. How the browser should treat autocomplete on password fields (the outcome being that both FF & Chrome claim to ignore it entirely, and not the topic of discussion here)
2. Whether the password autocomplete rule is effective

I'm very interested to hear arguments that suggest leaving the ZAP rule as-is, because it appears that no matter what you do (e.g. autocomplete or not) it will have the same effect within the browser. If I'm wrong about that, please do point me in the right direction.

Telling people to disable the rule is good advice if it is helpful in the majority of cases, but if it is mostly ineffective then that doesn't feel like the right course of action. What do you think?

[Simon Bennetts]

Confession time - we ignore it in the baseline scans we run at Mozilla :) https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
I think we should be aiming for the release quality rules to be as accurate and as useful as possible.
Is this one useful? Maybe not.
We could:

1. Leave it as it is - it only raises Low issues anyway
2. Change it to log Info issues instead
3. Only enable it on a Low threshold
4. Demote it to beta
5. Remove it completely

I'm open to any of those.

What does everyone else think?

Does anyone treat this as an issue they choose to resolve?

Cheers,

Simon

[Stuart]

Given the lack of responses since your last message, I'm guessing there's no interest to change this from the community. If that changes, I'm happy to do the work to either remove / amend it.

Cheers

Stuart

[kingthorin+owaspzap]

While not password specific, more (recent) reasoning around why autocomplete is dangerous for users:
https://tech.slashdot.org/story/17/01/09/0521217/browser-autofill-profiles-can-be-abused-for-phishing-attacks

[kingthorin+owaspzap]

Just in case anyone is still tracking this or curious, you might want to check https://github.com/zaproxy/zaproxy/issues/4215