The problem of cross-site scripting attacks (XSS) when working with JWT tokens

  • Resolved adrews1

    (@adrews1)


    5 months ago

    I use REST API on my resources via JWT Authentication for WP-API plugin (Enrique Chavez). I followed all the instructions of the plugin, added a line in wp-config.php “define(‘JWT_AUTH_SECRET_KEY’, ‘your-top-secret-key’);”

    I get the token without any problems!

    For security settings, I’m using the NinjaFirewall (WP Edition) plugin (free).

    When I send a content update request via RESTAPI (post,patch,put) I get the following error: 403

    Log: 6558685 CRITICAL 115 my_IP PATCH /index.php – Cross-site scripting – [RAW:PATCH = {“content”: “<p style=\”font-size:18px…..

    I work via token as admin if I enable Debugging mode (Firewall Options) the log:” 2947131 DEBUG_ON 115 my_IP PATCH /index.php – Cross-site scripting – [RAW:PATCH = {“content”: “<p style=\”font-size:18px\”

    But the post is updated, the request passes. How can I fix it?

    • This topic was modified 5 months ago by adrews1.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nintechnet

    (@nintechnet)

    I’m not sure I understand your question, i.e., whether the problem occurred in Debugging mode only, or even without it:

    • In Debugging mode, the request is always accepted, but the firewall writes the event to the log as it would under normal circumstances, i.e., blocked request in that case. See this.
    • But if you disable the debugging mode, the request should not get through.

    Thread Starter adrews1

    (@adrews1)

    In debug mode the request is not blocked, the log file just shows information about critical vulnerability 115. When I disable debug mode the request is blocked! How can I configure so that my request as administrator, because I work via token, is not blocked! Is there an additional option to whitelist the ip? What can be the problem?

    Plugin Author nintechnet

    (@nintechnet)

    If you want to whitelist your IP address, you’ll need to use the .htninja with the free version of NinjaFirewall: https://blog.nintechnet.com/ninjafirewall-wp-edition-the-htninja-configuration-file/?#allow_block
    Here’s an example:

    <?php
    if ( $_SERVER["REMOTE_ADDR"] == '1.2.3.4' ) {
       define('NFW_UWL', true);
       return 'ALLOW'; // whitelist
    }
Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.