Skip to content

Commit 930f572

Browse files
authored
Merge pull request #453 from kimocoder/claude/fix-security-vulnerability-gQwUM
fix: mask sensitive credentials in log output (CWE-312)
2 parents 34a7610 + 9ba02c3 commit 930f572

6 files changed

Lines changed: 31 additions & 9 deletions

File tree

wifite/attack/eviltwin.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
from ..config import Configuration
2020
from ..util.color import Color
2121
from ..util.timer import Timer
22-
from ..util.logger import log_info, log_error, log_warning, log_debug
22+
from ..util.logger import log_info, log_error, log_warning, log_debug, mask_sensitive
2323
from ..util.client_monitor import ClientMonitor, ClientConnection
2424
from ..util.cleanup import CleanupManager
2525
from ..util.adaptive_deauth import AdaptiveDeauthManager
@@ -1412,7 +1412,7 @@ def on_credential_submission(self, mac_address: str, password: str, success: boo
14121412

14131413
# Log the attempt
14141414
if success:
1415-
log_info('EvilTwin', f'Valid credentials from {mac_address}: {password}')
1415+
log_info('EvilTwin', f'Valid credentials from {mac_address}: {mask_sensitive(password)}')
14161416
Color.pl('\n{+} {G}SUCCESS! Valid credentials captured:{W}')
14171417
Color.pl(' {C}From:{W} {G}%s{W}' % mac_address)
14181418
Color.pl(' {C}Password:{W} {G}%s{W}' % password)
@@ -1457,7 +1457,7 @@ def create_result(self, password: str, validation_time: float = 0.0) -> CrackRes
14571457
portal_template=getattr(Configuration, 'evil_twin_portal_template', 'generic')
14581458
)
14591459

1460-
log_info('EvilTwin', f'Created result for {self.target.essid}: {password}')
1460+
log_info('EvilTwin', f'Created result for {self.target.essid}: {mask_sensitive(password)}')
14611461
return result
14621462

14631463
def _setup_client_monitor(self, hostapd_log: str, dnsmasq_log: str):

wifite/attack/pmkid.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
from ..model.pmkid_result import CrackResultPMKID
1111
from ..tools.airodump import Airodump
1212
from ..util.wpasec_uploader import WpaSecUploader
13-
from ..util.logger import log_debug, log_info, log_warning, log_error
13+
from ..util.logger import log_debug, log_info, log_warning, log_error, mask_sensitive
1414
from threading import Thread, active_count
1515
import os
1616
import time
@@ -479,7 +479,7 @@ def crack_pmkid_file(self, pmkid_file):
479479
key = Hashcat.crack_pmkid(pmkid_file)
480480

481481
if key is not None:
482-
log_info('AttackPMKID', f'PMKID cracked successfully! Password: {key}')
482+
log_info('AttackPMKID', f'PMKID cracked successfully! Password: {mask_sensitive(key)}')
483483
return self._handle_pmkid_crack_success(key, pmkid_file)
484484
# Failed to crack.
485485
if Configuration.wordlist is not None:
@@ -495,7 +495,7 @@ def _handle_pmkid_crack_success(self, key, pmkid_file):
495495
# Successfully cracked.
496496
if self.view:
497497
self.view.add_log(f"Successfully cracked PMKID!")
498-
self.view.add_log(f"Password: {key}")
498+
self.view.add_log(f"Password: {mask_sensitive(key)}")
499499
self.view.update_progress({
500500
'progress': 1.0,
501501
'status': 'PMKID cracked successfully!',

wifite/tools/bully.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -326,7 +326,8 @@ def parse_crack_result(self, line):
326326

327327
if self.cracked_pin and self.cracked_key:
328328
if self.attack_view:
329-
self.attack_view.add_log(f"SUCCESS! Cracked WPS Key: {self.cracked_key}")
329+
from ..util.logger import mask_sensitive
330+
self.attack_view.add_log(f"SUCCESS! Cracked WPS Key: {mask_sensitive(self.cracked_key)}")
330331
self.attack_view.update_progress({
331332
'progress': 1.0,
332333
'status': 'WPS Cracked!',

wifite/tools/reaver.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -288,7 +288,8 @@ def parse_crack_result(self, stdout):
288288
# Reaver provided PSK
289289
if self.attack_view:
290290
self.attack_view.add_log(f"SUCCESS! Cracked WPS PIN: {pin}")
291-
self.attack_view.add_log(f"PSK (Password): {psk}")
291+
from ..util.logger import mask_sensitive
292+
self.attack_view.add_log(f"PSK (Password): {mask_sensitive(psk)}")
292293
self.attack_view.update_progress({
293294
'progress': 1.0,
294295
'status': 'WPS Cracked!',

wifite/ui/attack_view.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1152,7 +1152,8 @@ def add_credential_attempt(self, mac_address: str, password: str, success: bool)
11521152
if success:
11531153
self.successful_attempts += 1
11541154
# Use rich text formatting for success
1155-
self.add_log(f"[bold green]✓[/bold green] Valid credentials from {mac_address}: [bold]{password}[/bold]", timestamp=True)
1155+
from ..util.logger import mask_sensitive
1156+
self.add_log(f"[bold green]✓[/bold green] Valid credentials from {mac_address}: [bold]{mask_sensitive(password)}[/bold]", timestamp=True)
11561157
# Update phase to show success
11571158
self.set_attack_phase("Validating")
11581159

wifite/util/logger.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -365,3 +365,22 @@ def log_critical(module: str, message: str, exc: Optional[Exception] = None):
365365
def log_exception(module: str, message: str):
366366
"""Log current exception."""
367367
Logger.exception(module, message)
368+
369+
370+
def mask_sensitive(value: str) -> str:
371+
"""Mask a sensitive value (e.g. password, key) for safe logging.
372+
373+
Shows the first 2 characters followed by asterisks. Values of
374+
2 characters or fewer are fully masked.
375+
376+
Args:
377+
value: The sensitive string to mask.
378+
379+
Returns:
380+
A masked version of *value* that is safe to include in logs.
381+
"""
382+
if not value:
383+
return '****'
384+
if len(value) <= 2:
385+
return '*' * len(value)
386+
return value[:2] + '*' * (len(value) - 2)

0 commit comments

Comments
 (0)