Rest Api ?

  • I am scanning my site for PCI compliance and get this error:

    WordPress REST API User Enumeration Vulnerability

    Customers can additionally configure authentication requirement for all REST-API requests.

    How is the auth requirment done? What file do I edit?

    Thank you

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    It depends on the chosen auth method. The default is via cookies, but can be accomplished by other means via a plugin.
    https://developer.www.ads-software.com/rest-api/using-the-rest-api/authentication/

    While I know what a user enumeration vuln is, I don’t understand “can additionally configure authentication requirement.”

    The ability to discover usernames being a vuln is somewhat of a controversy. It is true one can get usernames from the default API. It’s also easily prevented through the ‘rest_prepare_user’ filter. The filter callback simply unsets any data you don’t want getting out.

    You wouldn’t be editing any WP files directly. That is never done. Everything is managed through filter and action hooks.
    https://developer.www.ads-software.com/plugins/hooks/

Viewing 1 replies (of 1 total)
  • The topic ‘Rest Api ?’ is closed to new replies.