WordPress - Url Encoding - Firewall Rule To Block User Enum

Hello gents n ladies!

Any guidance would be helpful!

Original paths: /?rest_route/wp/v2/users and /wp-json/wp/v2/users - Blocked

I want to block url encoding because it bypasses my first block where I am able to block the original path above.
Sample: /?rest_route=%2Fwp/v2/users or /?rest_route=%2Fwp%2Fv2%2Fusers%2F1 - not blocked

Same goes for /wp-json%2Fwp/v2/users , this is not blocked

Basically / url encoded becomes %2F

I have tried things like this:

or (lower(http.request.uri.path) contains “/wp-json%2Fwp/v2/users”) or (lower(http.request.full_uri) contains “/wp-json%2Fwp/v2/users”) or (lower(http.request.uri.query) contains “/wp-json%2Fwp/v2/users”) or (lower(http.request.full_uri) contains “/wp-json%2Fwp/v2/users”)

Thanks alot!

To the best of my knowledge, the field http.request.uri.path is normalized before the firewall action is applied, which means that a firewall rule for /wp-json/... should apply to it and any percent-encoded variation of it.

If it isn’t working, please open a support ticket and place its # here so that @cloonan may have a look.

As for the /?rest_route..., that’s a path (/) + a query string, and you should drop the / and use the query string selector instead of URI Path.

2 Likes

I believe this one was already posted here?:

Hi @fritexvz , Yes, that was me yesterday I posted a similar question and that works fine althou after I’m trying to bypass with url encoding, it’s not stopping it.

(http.request.uri.path contains “?rest_route=%2F”) or (http.request.uri.query contains “rest_route=%2F”)

This worked for me.

Thanks @floripare

3 Likes

I’m glad it’s working, though the first part of your rule will never trigger the intended action. As I said in my earlier post, the http.request.uri.path field does not include the query string. It should only contain the path. See the following for examples and explanations;

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.