Saturday, July 18, 2009

Open letter to the Struts 1.x team on AUTOCOMPLETE

I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest release of the 1.x Struts line.

I would like the ability to disable autocomplete in an HTML form. Sadly (from a security perspective), most every browser enables autocomplete by default. We need to explicitly attribute our form html with autocomplete="off" - in both the form and form element tags of HTML 4.01+ pages. This is a very basic security protection. Wanting to prevent the browser from caching credit card numbers, PII and other critical user data is a no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction. Finally for the first time the main Struts 1.3.x branch supports the autocomplete tag (which defensive coders need - just to disable this feature via html!). But it's still not enabled by default in Struts! I need to modify the struts tld xml file in order to enable the autocomplete form and form element attribute; which takes me off the main branch of Struts 1.3.x.

I implore you to consider enabling autocomplete by default, so we can turn it off - without having to customize our version of struts 1.3.x! The best security is "secured by default", and this request moves us in that direction.

Jim Manico
OWASP, Intrinsic Security Working Group


Anonymous said...

My take is that you're oversimplifying this problem.

Autocomplete can definitely be a good thing. That way, I can (and do) have different random passwords for each critical site, and I don't have to remember them all, I let Firefox do it for me. I just have to remember one long password.

It simply depends on your use-cases. Is your site primarily targeted towards people with a personal computer that they control, or towards a go-to-the-library crowd?

For most people, the alternative to having the browser auto-fill is using a similar, easy to remember password that they share across many sites. That is itself a security hole - see the story in the news about the Twitter employee who had their Google account compromised by using the same password.

So auto-complete can be a net security gain. It is even better if the auto-completion is integrated into the operating system-browser connection with a secret keeper - such as using Konqueror with KWallet, or Safari with KeyChain. Of course, you have to trust users to make sure that they cannot cache passwords in inappropriate circumstances.

Jim Manico said...

I think your comments are totally fair, Anonymous, especially in the consumer space.

But in some enterprise situations (where strong password policy is forced), disabling autocomplete is a prudent choice.

All I'm asking is that 6 characters be deleted from the default struts 1.3.x tld file so that the autocomplete tag is a usable attribute by default.

webay said...

very impressive... been watching you for months now and i have to say this one is just that

speechless WOW!!!