On a sizeable site, for the third time now, we’re seeing this type of attack:
- A request to
GET /rest/V1/cmsBlock/searchto find out some block IDs. - A few minutes later there is
PUT /rest/V1/cmsBlock/123to insert some script into a block.
These steps come from the same IP address which is not seen for any other request so how are they authenticating? Each attack is a new IP address so an IP filter will not be enough.
To mitigate we’ve removed all integrations so it should not be possible to access without logging in as an admin first. 2FA is enabled. All passwords have been reset each time. User roles have been restricted a bit but we cannot lock down CMS completely or else the admin staff won’t be able to do their job. Magento version is 2.4.6-p6. The newer version has a fix for remote execution but this looks more like a CSRF problem so upgrading to p7 might not help here.
I’m using rewrite rules to deny certain paths but can already think of plenty of workarounds that might occur. I cannot simply block all paths that start with /rest/ because that would break the site. Are there ways to control API use without turning off entire parts?