OWASP ASVS: Test remember password functionality

(srinivas) #1

If an attacker can gain access to the victim’s browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords.

  1. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password,
  2. an attacker could retrieve the password by visiting the target web application’s authentication form, entering the victim’s username, and letting the browser to enter the password

I tried the approach of 1 and 2 on most of the sites, i can gain the stored passwords.

Is it still a problem having the feature from browser - save passwords.?

Reference: https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005)