Shippo API – Connect to WooCommerce 403 error

[SmartphonePros]

Hi, I am trying to enable another website to connect to my woocommerce for shipping labels and am getting the following error

[403 GET Request: January 16, 2017 - 12:40 am]
BPS: .54.2
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 54.196.34.67
Host Name: ec2-54-196-34-67.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/woocommerce/readme.txt
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36

I have added the IP addresses to the CUSTOM CODE WPADMIN TOP: section however this does not seem to be working. Please let me know the proper way to allow this connection.

Thank you.

[AITpro Admin]

Please explain in full specific detail what you are trying to do.  Example:  Trying to do X from websiteA.com and connect to websiteB.com to do Y.  Please explain how and why you are doing this.  Include any/all other exact specific details to describe the problem.

[SmartphonePros]

I am using a website called goshippo to connect to my website smartphonepros.com and set up their API. Their support article is here https://support.goshippo.com/hc/en-us/articles/207450406-How-do-I-connect-Shippo-to-my-WooCommerce-store where they describe the settings that will be managed by connecting.

I need to be logged into my website admin while I authorize this service and their app will do all of the API setup automatically. When I put in my login and hit Submit it gives me the error message “Your WooCommerce store is invalid. We only support WooCommerce shops starting at version 2.4” however my plugins are all updated so I though that goshippo is not reading my site as it needs to and then when I checked the BPS logs I see that the woocommerce readme.txt is being blocked from them reading.

Thank you again!

[AITpro Admin]

The forum topic title has been changed to accurately reflect the focus/subject of this topic

I don’t think the Security Log entry has anything to do with Shippo or the problem.  Do BPS Troubleshooting steps #1 and #2 to confirm or eliminate the BPS is blocking the Shippo REST API connection to your site:  https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

[happyday]

Hello, I am also having difficulties getting orders to sync between my wordpress website and shippo account. I followed the troubleshooting guide you linked above (steps #1 and #2). When deactivating the Root Folder BulletProof Mode (RBM), the orders will import. From there, I removed all of the custom codes and then saved and reactivated. The Shippo orders would no longer import, even with all of them removed. It seems like something in the base .htaccess code is what’s causing the problem. Is there a way to fix this so the orders can sync? Thanks!

[AITpro Admin]

@ happyday – check the Security Log and post the Security Log entry that shows what is being blocked.

[happyday]

This is the only log entry from around the time I was testing (see below). I contacted Shippo as well and they said they are receiving a 403 error on their end.

[403 POST Request: November 23, 2019 - 8:25 pm]
BPS: 3.2
WP: 5.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: GDPR Compliance On
Host Name: jupiter.globalhostingservers.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: GDPR Compliance On
HTTP_FORWARDED: GDPR Compliance On
HTTP_X_FORWARDED_FOR: GDPR Compliance On
HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /xmlrpc.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data

[AITpro Admin]

@ happyday – Here is a Shippo troubleshooting page > https://support.goshippo.com/hc/en-us/articles/360024612052 It does not tell me how Shippo is making the connection besides just general info that it connects via the WordPress REST API. There are other troubleshooting steps that you should double check.

Try this next and let me know what happens:
1. Copy the htaccess code below into this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS.
2. Click the Save Root Custom Code button.
3. Go to the Security Modes page and click the Root folder BulletProof Mode Activate button.
4. Test your Shippo connection.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[happyday]

Thank you, it looks like this worked! Below is the code I originally had in BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS. Will I be more vulnerable to attacks without it or is there a way to make an exception for Shippo only?

[AITpro Admin – BPS Query Exploits htaccess code checked and removed]

[AITpro Admin]

@ happyday – I just wanted to isolate the exact htaccess code that was causing the block in the Shippo connection.  Ok so at this point what you want to do since there is not a Security Log entry that shows exactly what is being blocked – is to comment out the BPS Query String Exploits lines of code until you find the exact security rule or rules that are causing the block. I’m not really sure how Shippo does what it does. So start with commenting out the HTTP_USER_AGENT security rule by adding a # sign in front of it (as shown below) and then work your way down through the security rules until you find the rule or rules that are blocking the Shippo connection.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[happyday]

Sorry for the long delay, I ran into some other hiccups on my site that needed addressed before continuing this.

I managed to isolate the .htaccess code that is blocking my orders from syncing with Shippo:

RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]

I have it commented out so everything is working now. Would it be better to leave it commented out or should I modify the condition in some way so that it can still be used?

Thanks!

[AITpro Admin]

@ happyday – It is perfectly safe to comment out that security rule. It is actually more of a nuisance rule vs a security rule.

1. You want to copy the entire section of the Query String Exploits code below with the security rule commented out into this Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS.
2. Click the Save Root Custom Code button.
3. Go to the BPS Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard. If you have the BPS free plugin then just run the Setup Wizard.

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS

[happyday]

Ok great, thank you so much!

[coen]

Hi,

I’ve saved the custom code BEGIN BPSQSE BPS QUERY STRING EXPLOITS text in box: 12
Commented out the security rule:

 #RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] 

Run the setup wizard.
This deleted the Whitelist options!!!
Got them saved again.

Whitelist options:

 /thrive-apprentice/js/spectrum/spectrum.js, /thrive-apprentice/admin/js/dist/tva-admin.min.js, /thrive-product-manager/js/dist/tpm-admin.min.js, /thrive-apprentice/tcb-bridge/assets/js/tva-tcb-frontend.js, /thrive-visual-editor/editor/js/dist/frontend.min.js, /thrive-visual-editor/editor/js/dist/gutenberg.min.js, /thrive-visual-editor/editor/js/dist/admin.min.js, /thrive-visual-editor/editor/js/libs/moment.min.js, /thrive-visual-editor/editor/js/libs/jquery.scrollbar.min.js, /thrive-visual-editor/editor/js/dist/main.min.js, /thrive-leads/js/tcb-editor.js, /thrive-apprentice/js/dist/frontend.min.js, /thrive-apprentice/js/dist/jquery.scrollbar.js, /thrive-apprentice/x.php, /thrive-visual-editor/thrive-dashboard/js/dist/frontend.min.js, /thrive-visual-editor/editor/js/libs/dom-to-image.min.js, /thrive-visual-editor/editor/js/dist/editor.min.js, /thrive-visual-editor/editor/js/dist/froala.min.js, /thrive-visual-editor/editor/js/libs/lazyload.min.js, /thrive-apprentice/tcb-bridge/assets/js/tva-tcb-internal.js

And than got the PHP Error:

 [01-Apr-2020 18:25:47 UTC] WordPress database error Column 'card_expires_at' cannot be null for query INSERT INTO swus_tva_transactions (order_id, transaction_id, currency, price, price_gross, gateway_fee, transaction_type, gateway, card_last_4_digits, card_expires_at, created_at) VALUES (63, '8DS69470JF9494340', 'USD', '0.50', '0.50', '0.32', 1, 'PayPal', NULL, NULL, '2020-04-01 18:25:47') made by TVA_Payment_Service::create, TVA_Payment_Gateway_Abstract->__construct, TVA_SendOwl_Payment_Gateway->process_notification, TVA_SendOwl_Payment_Gateway->create_transaction_entry, TVA_Transaction->save

What can I do next to make it work?

Thanks,
Coen

[AITpro Admin]

@ coen – You can simply just copy the Query String Exploits code above and then do the rest of the steps. With all this stressful stuff going on everything seems 10 times more difficult than normal right. 😉

The PHP Error most likely has to do with a value (form entry) somewhere that needs to be inputted (added) somewhere.  The PHP Error is telling you that a value cannot be NULL and if you look at this line in the error message below you can see two NULL values. In layman’s terms just probably means that you need to fill out some form entries somewhere with the TVA SendOwl Payment Gateway plugin. Using some common sense logic since I’ve never used that plugin. So yeah probably just need to fill out some form entries somewhere.

created_at
) VALUES (63, '8DS69470JF9494340', 'USD', '0.50', '0.50', '0.32', 1, 'PayPal', NULL, NULL, '2020-04-01 18:25:47') made by TVA_Payment_Service::create, TVA_Payment_Gateway_Abstract->__construct, TVA_SendOwl_Payment_Gateway->process_notification, TVA_SendOwl_Payment_Gateway->create_transaction_entry, TVA_Transaction->save

[Author]

Posts