Home › Forums › BulletProof Security Pro › WP JSON oEmbed – 403 error, wp-json/oembed
- This topic has 2 replies, 2 voices, and was last updated 3 years, 9 months ago by
AITpro Admin.
-
AuthorPosts
-
AITpro Admin
KeymasterWP Forum Post: https://wordpress.org/support/topic/too-many-wp-json-records-in-sevurity-log?replies=2#post-8346801
The LTX71 Bot, which is located on this server: http://whois.domaintools.com/ltx71.com and uses Amazon AWS DNS is crawling/scanning the site and is requesting/accessing the WordPress wp-json oembed API URI’s directly in a way that they are not intended to be requested/accessed. The WP JSON oEmbed URI’s are intended to be requested/accessed by REST API enpoints: https://developer.wordpress.com/docs/oembed-provider-api/ and not just randomly crawled by bots. You can either ignore the Security Log entries or you can allow the LTX71 bot or any other bots to do something that they should not be doing on your website. If you want to allow this bot and other bots to do something they should not be doing on your website then post a reply in this forum topic requesting the steps to allow/not block this bot and other bots from doing this on your website.
When you check the
ltx71.comwebsite directly you will see this message below displayed:LTX71
We continuously scan the internet for security research purposes. Our crawling is not malicious and only notes summary information for a page.
If you have further questions please contact [removed for privacy and per WP Forum posting rules].[403 GET Request: April 22, 2016 8:10 pm] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 54.87.199.12 Host Name: ec2-54-87-199-12.compute-1.amazonaws.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-json/oembed/1.0/embed?url=http://example.com/ QUERY_STRING: HTTP_USER_AGENT: ltx71 - (http://ltx71.com/)
larsonreever
ParticipantThe WP JSON oEmbed URI’s are intended to be requested/accessed by REST API enpoints:You can either ignore the Security Log entries or you can allow the LTX71 bot . i think this post will provide more details into this
https://secure.wphackedhelp.com/blog/wordpress-rest-api-vulnerability-content-injection/
KeymasterFor legitimate WP JSON oembed requests that are being blocked do the steps below to fix the problem.
The Query String is simulating an RFI hacking attempt, which is being blocked.
1. Copy the modified BPS Query String Exploits code below into this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
2. Click the Encrypt Custom Code button – You only need to do this step if your web host has ModSecurity CRS installed and you are unable to save your custom code.
3. Click the Save Root Custom Code button to save your Root custom code.
4. Go to the BPS Setup Wizard page and run the Setup Wizard.# BEGIN BPSQSE BPS QUERY STRING EXPLOITS # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. # Good sites such as W3C use it for their W3C-LinkChecker. # Use BPS Custom Code to add or remove user agents temporarily or permanently from the # User Agent filters directly below or to modify/edit/change any of the other security code rules below. RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE BPS QUERY STRING EXPLOITSExample Security Log entry:
[403 GET Request: 23rd July 2020 - 07:08] BPS: 4.0 WP: 5.4.2 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: GDPR Compliance On Host Name: 47.240.81.239 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: GDPR Compliance On HTTP_FORWARDED: GDPR Compliance On HTTP_X_FORWARDED_FOR: GDPR Compliance On HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-json/oembed/1.0/embed?url=https://www.example.com/news/example-news/& QUERY_STRING: url=https://www.example.com/news/example-news/& HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
-
AuthorPosts
- You must be logged in to reply to this topic.