Topic: Ninja Forms – 403 error | BulletProof Security Forum

Ninja Forms – 403 error

This topic has 24 replies, 2 voices, and was last updated 5 years, 1 month ago by Rob B.

Viewing 15 posts - 1 through 15 (of 25 total)

1 2 →

Author

Posts
March 3, 2019 at 1:14 pm #36916
Rob B
Participant
Website is using Ninja Forms with PayPal Express. Most purchases go through but when an error occurs then the person is blocked from the website.
```
[403 GET Request: March 2, 2019 3:24 am]
BPS: 3.3
WP: 5.0.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 47.xx.xx.xx
Host Name: 047-024-192-055.res.spectrum.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-9xxxxxxxxxxxxxT&useraction=commit
REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
QUERY_STRING: nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
```
March 4, 2019 at 8:36 am #36919
AITpro Admin
Keymaster

The way BPS security features/rules work is that if BPS is blocking something then it will always block whatever is being blocked consistently until a fix/solution is created. BPS does not intermittently block things because that is not how the security rules work. In other words, it is an “all or nothing” thing. So either the problem is occurring because of things that do cause intermittent problems > php memory/cache/caching plugins/CDN’s/VPN’s/Proxy’s/Load Balancers/Host server problems (new security measures added on Host server (Mod Security, etc.), DNS server/DNS configuration problem, MySQL server timeout, server overloaded, etc.), /Browser problems (corrupt cache, Sessions, Cookies, add-on, extension)/ISP (connectivity)/CloudFlare, Incapsula, etc. Or what appears to be a failed/blocked purchase is not really a failed/blocked purchase. Or the problem is specific to mobile devices > The 403 error shows that the User Agent is a mobile device (Linux; Android 8.0.0; SAMSUNG-SM-G935A). Or you have Mod Security enabled in you web host control panel and Mod Security is blocking mobile devices and BPS Security Logging is logging that Mod Security 403 error. Or of course this could be a bot or spammer/hacker that should be blocked and not a failed transaction/purchase.

Post a link/URL to your website so I can run some tests using a mobile device to see if the problem is isolated to mobile devices.
March 4, 2019 at 8:54 am #36922
AITpro Admin
Keymaster

The static IP address: 47.24.192.55 in the Security Log entry is for a website on Spectrum ISP. That is a bit odd since the User Agent shows that the Request was made by a Mobile Device. Is the IP address your website IP address on Spectrum?
March 4, 2019 at 11:35 am #36923
Rob B
Participant
URL to website

https://steelvilleartscouncil.org/art/

Their ISP is on Spectrum and they tried a desktop then went to their phone to try to fill out the form.

The phone was using the Spectrum WiFi

They were a legitimate user. They filled out a registration form that required payment from PayPal. PayPal showed an error (unknown what error) then when they were directed back to the site they were blocked..

This has happened 3 or 4 times in the last 2 months. Just now was able to get someone to walk me through their actions and resulting errors. So I know the errors are the ones for this particular user.

Below is the log file that is associated with the user.
```
[403 GET Request: March 2, 2019 3:24 am]
BPS: 3.3
WP: 5.0.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 47.24.192.55
Host Name: 047-024-192-055.res.spectrum.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-9xxxxxxxxxxxxxT&useraction=commit
REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
QUERY_STRING: nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36

[403 GET Request: March 2, 2019 3:26 am]
BPS: 3.3
WP: 5.0.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 47.24.192.55
Host Name: 047-024-192-055.res.spectrum.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /art/
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36

[403 GET Request: March 2, 2019 3:26 am]
BPS: 3.3
WP: 5.0.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 47.24.192.55
Host Name: 047-024-192-055.res.spectrum.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /art/
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36

[403 GET Request: March 2, 2019 3:27 am]
BPS: 3.3
WP: 5.0.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 47.24.192.55
Host Name: 047-024-192-055.res.spectrum.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.google.com/
REQUEST_URI: /art/category/events/
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36

[403 GET Request: March 2, 2019 3:27 am]
BPS: 3.3
WP: 5.0.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 47.24.192.55
Host Name: 047-024-192-055.res.spectrum.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.google.com/
REQUEST_URI: /art/for-artists/call-for-artists/
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
```
March 4, 2019 at 11:35 am #36924
Rob B
Participant
Would this rule help?
```
# Example 3: Whitelist PayPal IPN API Script POST Requests
RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
RewriteRule ^(.*)$ - [F]
```
March 4, 2019 at 11:48 am #36925
AITpro Admin
Keymaster

That rule would only work if the exact specific name of your IPN handler file/script was that exact file name. If some payment transactions are going through then it is not a problem with whitelisting a particular file. BPS works in a way that is “all or nothing”. ie all PayPal transactions would fail or be blocked or none of them would be. There is no in-between since that is not the way BPS is designed or the way htaccess security rules work. Static htaccess security rules do not work intermittently since they are rules that your server uses to process things. They either consistently block something 100% of the time or not at all. So you have some sort of intermittent problem that must be caused by some other problem. My gut is telling me that when an error occurs on PayPal and the user is sent back to your website then something in the redirect from PayPal back to your website triggers a 403 error. It would be nice to know what that PayPal error is. I am checking/testing your site now and will let you know if I find anything.
March 4, 2019 at 11:54 am #36926
Rob B
Participant

I agree with your gut feeling.

My gut is telling me that when an error occurs on PayPal and the user is sent back to your website then something in the redirect from PayPal back to your website triggers a 403 error.

The user reported that the 403 started after the PayPal error. I am guessing they got a redirect that triggered the issue.
March 4, 2019 at 11:57 am #36927
AITpro Admin
Keymaster

I was able to successfully reproduce the problem by filling out your Registration form and cancelling the PayPal transaction. So now I am analyzing why the PayPal redirect back to your site is causing the 403 error. Will post a reply when I have figured that out.
March 4, 2019 at 11:59 am #36928
Rob B
Participant

Could not see the error in PayPal as the transaction was not recorded.
March 4, 2019 at 12:04 pm #36929
Rob B
Participant
Is this your entry?
```
[403 GET Request: March 4, 2019 7:55 pm]
BPS: 3.3
WP: 5.1
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 108.213.94.121
Host Name: 108-213-94-121.lightspeed.irvnca.sbcglobal.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-4VL960529M7110255&useraction=commit
REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=cancel&token=EC-4VL960529M7110255&country.x=US&locale.x=en_US
QUERY_STRING: nf_resume=55&nfpe_checkout=cancel&token=EC-4VL960529M7110255&country.x=US&locale.x=en_US
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
```
March 4, 2019 at 12:08 pm #36930
AITpro Admin
Keymaster

Ok so here is where we are at > there is nothing in the Query String of the post back to your website that BPS would block. So what I need you to do now is to login to PayPal and find your “Take customers to this URL when they cancel their checkout” settings and then post the URL that you see. I suspect you may be trying to do some sort of odd redirect that is causing the 403 error because the redirect is seen as an RFI hacking attempt. I could be wrong, but that is the first possibility to eliminate. The other possibilities are that you are doing some sort of forwarding or redirects somewhere else that are causing the URL to be redirected more than once.
March 4, 2019 at 12:10 pm #36931
AITpro Admin
Keymaster

Yes, that was the test PayPal transaction that I did. The Security Log entry does not really tell you what the root problem is because the problem is happening outside of your website or some odd control panel setting or some fubar htaccess redirect code or your PayPal settings are fubar.
March 4, 2019 at 12:18 pm #36932
Rob B
Participant

Return url;

https://steelvilleartscouncil.org/art/thank-you-for-your-purchase/

So nothing there, also this is for successful payments.

Looking more.
March 4, 2019 at 12:24 pm #36933
AITpro Admin
Keymaster

Please post the PayPal URL for failed or cancelled transactions. The BPS 403 error is “after the fact” since the problem is occurring during the redirect back from PayPal on errors or failed transactions. Successful PayPal transactions appear to be fine. So yeah that is where you need to start troubleshooting this PayPal settings problem. My guess is that you have some sort of RFI URL redirect issue going on.
March 4, 2019 at 12:33 pm #36934
Rob B
Participant

Yes we are on the same page.

I will be looking for the failed transaction redirect.
Author

Posts

Viewing 15 posts - 1 through 15 (of 25 total)

1 2 →

You must be logged in to reply to this topic.

BulletProof Security Forum

Ninja Forms – 403 error

Search Forums

Topic Tags