Support » Plugin: Wordfence Security - Firewall & Malware Scan » False positive for Persistent XSS from mobile access

  • Resolved webby1973

    (@webby1973)


    Hello,

    a client of mine is being blocked with a “403 error forbidden” when visiting her website using an Android mobile or a tablet.
    The block reason I see in the Live Traffic window is:
    =====================================================================
    blocked by firewall for Total Security <= 3.3.8 – Persistent XSS at [x]
    11/1/2019 16:12:40
    IP: 93.148.x Hostname: x.vodafonedsl.it
    Human/Bot: Bot
    Browser: Chrome version 64.0 running on Android
    Mozilla/5.0 (Linux; Android 7.0; SM-T585 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Safari/537.36
    =====================================================================

    So why is this visit counted as a bot, instead of human?
    And what is exactly the Persistent XSS protection looking for?

    I can’t whitelist her IP cause it’s not a static one.

    Thank you!

Viewing 7 replies - 1 through 7 (of 7 total)
  • wfdave

    (@wfdave)

    Hi @webby1973,

    I believe this is a rule in an older version of Wordfence, so can you try updating Wordfence? Also check if Total Security is updated to the latest version (which is 3.4.8 at the time of writing).

    If it still doesn’t work, you can manually disable this rule by going into Wordfence -> All Options, and scrolling down until you see that specific rule.

    For example: https://i.imgur.com/v6zWp5C.png

    Dave

    Thread Starter webby1973

    (@webby1973)

    Hi @wfdave ,

    Wordfence is already 7.1.20 (1546968199) and previously it was always kept updated.
    What’s Total Security?

    I manually disabled that firewall rule, but I’d like to know what it was about and why it did block only when visiting the website (not trying to log-in) with some mobile device. I’m asking cause I manage other website with almost the same Wordfence configuration and would like to be sure there are no other false positive blockings.

    Thank you very much!

    wfdave

    (@wfdave)

    Hi again!

    The rule violation that she was blocked for is an exploit with the Total Security plugin. Seeing as you do not have that plugin installed, you won’t need protections against it.

    My guess is that her IP (which is a shared mobile IP owned by Vodafone Italy) was blocked because an attacker with the same IP used it to attempt to exploit websites.

    Dave

    Thread Starter webby1973

    (@webby1973)

    Hi Dave @wfdave ,

    I have the same settings on other websites, I’m going to disable that rule because I think it leads too many false positives.
    One question, here: https://www.wordfence.com/help/firewall/options/?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#rules
    there is no mention of the rule matching an IP, and it’s not smart to block dynamic IPs especially from mobile networks, so can you please clarify?

    I think the WAF rules should match only a specific attack, not caring about the IP, this is the job of another setting.
    Or there should be a general on/off setting to enable the firewall for attacks on plugins that aren’t installed and the IP would be throttled and not blocked to minimize wrong blockings, IMHO.

    wfdave

    (@wfdave)

    A lot of the time, an attacker may try various different exploits to try to see if your site is vulnerable.

    So if we don’t immediately block the IP addresses of attackers who attempt exploits, they can just keep trying to get into your site.

    Unfortunately, this means that people who are on publicly shared IP addresses will find that their access to a lot of different websites are blocked for no reason.

    You can change the setting for how long an IP is blocked for to a lower value:

    1. Go to Wordfence -> All Options -> Rate Limiting
    2. How long is an IP address blocked when it breaks a rule -> 5 minutes

    Dave

    Thread Starter webby1973

    (@webby1973)

    Hi Dave, but in this case there was no attack at all! And the IPs involved were blocked not just 1 time, but many times on different days. So it must be something wrong with the Wordfence global network, not my website setting.

    It’s a bit unusual that an attacker is on mobile… botnets are from hacked servers with static IP (such as 139.180.193.19 that is trying to exploit a contact form in thousands times).
    You wrote “My guess is that her IP (which is a shared mobile IP owned by Vodafone Italy) was blocked because an attacker with the same IP used it to attempt to exploit websites”, now where did Wordfence compare that IP to the current normal visit to the website to decide to block it?

    Thank you.

    wfdave

    (@wfdave)

    Hi again,

    I think it may be due to Wordfence’s global network.

    Can you going into Wordfence -> All Options, and disabling Participate in the Real-Time Wordfence Security Network?

    Wordfence gathers IPs from other website’s attack data to determine if an IP may be owned by a botnet. A shared mobile IP that was used to attack a different website also using Wordfence will be blocked from accessing your site. (Unless you disable the above option)

    Dave

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘False positive for Persistent XSS from mobile access’ is closed to new replies.