Need to hide the luci login password in POST ..how can we do ?
POST? Do you mean PowerOnSelfTest for x86 computers?
How do you see any password there? The POST is done before even bios is booted?
You have to use HTTPS.
1 Like
You can use ssl certificate auth or pipe web via ssh port forward.
i have enabled luci-ssl package in openwrt and tried but still showing password with plain text in POST capture via burp tool
using HTTPS only
If you're running Burp and looking at the browser session you're connecting to LuCi with, then you'll always see the form or authentication data being passed in a query because Burp looks at the data being processed by the browser, not that traversing the network.
It can see the info going into a POST request before it gets encrypted.
This is not a problem.
In order to not actually send the password (SSL or not), you have to use "http digest auth", and not "http basic auth".
Unfortunately, AFAICT, uhttpd does not seem to support anything other than "basic auth": https://openwrt.org/docs/guide-user/services/webserver/uhttpd
I'm not sure, if LUCI can be (fully/easily) used with a httpd other than uhttpd.
I think, at least lighttpd can be used with/for LUCI, and it supports Digest-Auth:
Then, I guess the tool you are using is not watching the network traffic, right? Is it a browser plug-in, perhaps? What's the problem if the browser CA see the password?