Missing Password Field Masking
Draft Base
Structure: Simple
Description
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
Common Consequences 1
Scope: Access Control
Impact: Bypass Protection Mechanism
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 1
Phase: ImplementationRequirements
Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
References 1
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Modes of Introduction
Implementation
Related Weaknesses