Shippo API – Connect to WooCommerce 403 error

Home Forums BulletProof Security Free Shippo API – Connect to WooCommerce 403 error

This topic contains 9 replies, has 3 voices, and was last updated by  AITpro Admin 1 week, 5 days ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #32178

    SmartphonePros
    Participant

    Hi, I am trying to enable another website to connect to my woocommerce for shipping labels and am getting the following error

    [403 GET Request: January 16, 2017 - 12:40 am]
    BPS: .54.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.196.34.67
    Host Name: ec2-54-196-34-67.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/woocommerce/readme.txt
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36

    I have added the IP addresses to the CUSTOM CODE WPADMIN TOP: section however this does not seem to be working. Please let me know the proper way to allow this connection.

    Thank you.

    #32179

    AITpro Admin
    Keymaster

    Please explain in full specific detail what you are trying to do.  Example:  Trying to do X from websiteA.com and connect to websiteB.com to do Y.  Please explain how and why you are doing this.  Include any/all other exact specific details to describe the problem.

    #32180

    SmartphonePros
    Participant

    I am using a website called goshippo to connect to my website smartphonepros.com and set up their API. Their support article is here https://support.goshippo.com/hc/en-us/articles/207450406-How-do-I-connect-Shippo-to-my-WooCommerce-store where they describe the settings that will be managed by connecting.

    I need to be logged into my website admin while I authorize this service and their app will do all of the API setup automatically. When I put in my login and hit Submit it gives me the error message “Your WooCommerce store is invalid. We only support WooCommerce shops starting at version 2.4” however my plugins are all updated so I though that goshippo is not reading my site as it needs to and then when I checked the BPS logs I see that the woocommerce readme.txt is being blocked from them reading.

    Thank you again!

    #32181

    AITpro Admin
    Keymaster

    The forum topic title has been changed to accurately reflect the focus/subject of this topic

    I don’t think the Security Log entry has anything to do with Shippo or the problem.  Do BPS Troubleshooting steps #1 and #2 to confirm or eliminate the BPS is blocking the Shippo REST API connection to your site:  https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    #38266

    happyday
    Participant

    Hello, I am also having difficulties getting orders to sync between my wordpress website and shippo account. I followed the troubleshooting guide you linked above (steps #1 and #2). When deactivating the Root Folder BulletProof Mode (RBM), the orders will import. From there, I removed all of the custom codes and then saved and reactivated. The Shippo orders would no longer import, even with all of them removed. It seems like something in the base .htaccess code is what’s causing the problem. Is there a way to fix this so the orders can sync? Thanks!

    #38268

    AITpro Admin
    Keymaster

    @ happyday – check the Security Log and post the Security Log entry that shows what is being blocked.

    #38273

    happyday
    Participant

    This is the only log entry from around the time I was testing (see below). I contacted Shippo as well and they said they are receiving a 403 error on their end.

    [403 POST Request: November 23, 2019 - 8:25 pm]
    BPS: 3.2
    WP: 5.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: GDPR Compliance On
    Host Name: jupiter.globalhostingservers.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /xmlrpc.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    REQUEST BODY: BPS Security Log option set to: Do Not Log POST Request Body Data
    #38275

    AITpro Admin
    Keymaster

    @ happyday – Here is a Shippo troubleshooting page > https://support.goshippo.com/hc/en-us/articles/360024612052 It does not tell me how Shippo is making the connection besides just general info that it connects via the WordPress REST API. There are other troubleshooting steps that you should double check.

    Try this next and let me know what happens:
    1. Copy the htaccess code below into this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS.
    2. Click the Save Root Custom Code button.
    3. Go to the Security Modes page and click the Root folder BulletProof Mode Activate button.
    4. Test your Shippo connection.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #38276

    happyday
    Participant

    Thank you, it looks like this worked! Below is the code I originally had in BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS. Will I be more vulnerable to attacks without it or is there a way to make an exception for Shippo only?

    [AITpro Admin – BPS Query Exploits htaccess code checked and removed]

    #38277

    AITpro Admin
    Keymaster

    @ happyday – I just wanted to isolate the exact htaccess code that was causing the block in the Shippo connection.  Ok so at this point what you want to do since there is not a Security Log entry that shows exactly what is being blocked – is to comment out the BPS Query String Exploits lines of code until you find the exact security rule or rules that are causing the block. I’m not really sure how Shippo does what it does. So start with commenting out the HTTP_USER_AGENT security rule by adding a # sign in front of it (as shown below) and then work your way down through the security rules until you find the rule or rules that are blocking the Shippo connection.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    #RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.