Home › Forums › BulletProof Security Free › Ninja Forms – 403 error
- This topic has 24 replies, 2 voices, and was last updated 5 years, 1 month ago by Rob B.
-
AuthorPosts
-
Rob BParticipant
Website is using Ninja Forms with PayPal Express. Most purchases go through but when an error occurs then the person is blocked from the website.
[403 GET Request: March 2, 2019 3:24 am] BPS: 3.3 WP: 5.0.3 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 47.xx.xx.xx Host Name: 047-024-192-055.res.spectrum.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-9xxxxxxxxxxxxxT&useraction=commit REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN QUERY_STRING: nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
AITpro AdminKeymasterThe way BPS security features/rules work is that if BPS is blocking something then it will always block whatever is being blocked consistently until a fix/solution is created. BPS does not intermittently block things because that is not how the security rules work. In other words, it is an “all or nothing” thing. So either the problem is occurring because of things that do cause intermittent problems > php memory/cache/caching plugins/CDN’s/VPN’s/Proxy’s/Load Balancers/Host server problems (new security measures added on Host server (Mod Security, etc.), DNS server/DNS configuration problem, MySQL server timeout, server overloaded, etc.), /Browser problems (corrupt cache, Sessions, Cookies, add-on, extension)/ISP (connectivity)/CloudFlare, Incapsula, etc. Or what appears to be a failed/blocked purchase is not really a failed/blocked purchase. Or the problem is specific to mobile devices > The 403 error shows that the User Agent is a mobile device (Linux; Android 8.0.0; SAMSUNG-SM-G935A). Or you have Mod Security enabled in you web host control panel and Mod Security is blocking mobile devices and BPS Security Logging is logging that Mod Security 403 error. Or of course this could be a bot or spammer/hacker that should be blocked and not a failed transaction/purchase.
Post a link/URL to your website so I can run some tests using a mobile device to see if the problem is isolated to mobile devices.
AITpro AdminKeymasterThe static IP address: 47.24.192.55 in the Security Log entry is for a website on Spectrum ISP. That is a bit odd since the User Agent shows that the Request was made by a Mobile Device. Is the IP address your website IP address on Spectrum?
Rob BParticipantURL to website
https://steelvilleartscouncil.org/art/
Their ISP is on Spectrum and they tried a desktop then went to their phone to try to fill out the form.
The phone was using the Spectrum WiFi
They were a legitimate user. They filled out a registration form that required payment from PayPal. PayPal showed an error (unknown what error) then when they were directed back to the site they were blocked..
This has happened 3 or 4 times in the last 2 months. Just now was able to get someone to walk me through their actions and resulting errors. So I know the errors are the ones for this particular user.
Below is the log file that is associated with the user.
[403 GET Request: March 2, 2019 3:24 am] BPS: 3.3 WP: 5.0.3 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 47.24.192.55 Host Name: 047-024-192-055.res.spectrum.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-9xxxxxxxxxxxxxT&useraction=commit REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN QUERY_STRING: nf_resume=55&nfpe_checkout=success&token=EC-9T124165M1687513T&PayerID=G5GG5RGDMVXAN HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36 [403 GET Request: March 2, 2019 3:26 am] BPS: 3.3 WP: 5.0.3 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 47.24.192.55 Host Name: 047-024-192-055.res.spectrum.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /art/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36 [403 GET Request: March 2, 2019 3:26 am] BPS: 3.3 WP: 5.0.3 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 47.24.192.55 Host Name: 047-024-192-055.res.spectrum.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /art/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36 [403 GET Request: March 2, 2019 3:27 am] BPS: 3.3 WP: 5.0.3 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 47.24.192.55 Host Name: 047-024-192-055.res.spectrum.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.google.com/ REQUEST_URI: /art/category/events/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36 [403 GET Request: March 2, 2019 3:27 am] BPS: 3.3 WP: 5.0.3 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 47.24.192.55 Host Name: 047-024-192-055.res.spectrum.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.google.com/ REQUEST_URI: /art/for-artists/call-for-artists/ QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG-SM-G935A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.105 Mobile Safari/537.36
Rob BParticipantWould this rule help?
# Example 3: Whitelist PayPal IPN API Script POST Requests RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC] RewriteRule ^(.*)$ - [F]
AITpro AdminKeymasterThat rule would only work if the exact specific name of your IPN handler file/script was that exact file name. If some payment transactions are going through then it is not a problem with whitelisting a particular file. BPS works in a way that is “all or nothing”. ie all PayPal transactions would fail or be blocked or none of them would be. There is no in-between since that is not the way BPS is designed or the way htaccess security rules work. Static htaccess security rules do not work intermittently since they are rules that your server uses to process things. They either consistently block something 100% of the time or not at all. So you have some sort of intermittent problem that must be caused by some other problem. My gut is telling me that when an error occurs on PayPal and the user is sent back to your website then something in the redirect from PayPal back to your website triggers a 403 error. It would be nice to know what that PayPal error is. I am checking/testing your site now and will let you know if I find anything.
Rob BParticipantI agree with your gut feeling.
My gut is telling me that when an error occurs on PayPal and the user is sent back to your website then something in the redirect from PayPal back to your website triggers a 403 error.
The user reported that the 403 started after the PayPal error. I am guessing they got a redirect that triggered the issue.
AITpro AdminKeymasterI was able to successfully reproduce the problem by filling out your Registration form and cancelling the PayPal transaction. So now I am analyzing why the PayPal redirect back to your site is causing the 403 error. Will post a reply when I have figured that out.
Rob BParticipantCould not see the error in PayPal as the transaction was not recorded.
Rob BParticipantIs this your entry?
[403 GET Request: March 4, 2019 7:55 pm] BPS: 3.3 WP: 5.1 Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 108.213.94.121 Host Name: 108-213-94-121.lightspeed.irvnca.sbcglobal.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.paypal.com/webscr?cmd=_express-checkout&token=EC-4VL960529M7110255&useraction=commit REQUEST_URI: /art/art-in-the-park-artist-registration-apr-13-2019/?nf_resume=55&nfpe_checkout=cancel&token=EC-4VL960529M7110255&country.x=US&locale.x=en_US QUERY_STRING: nf_resume=55&nfpe_checkout=cancel&token=EC-4VL960529M7110255&country.x=US&locale.x=en_US HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
AITpro AdminKeymasterOk so here is where we are at > there is nothing in the Query String of the post back to your website that BPS would block. So what I need you to do now is to login to PayPal and find your “Take customers to this URL when they cancel their checkout” settings and then post the URL that you see. I suspect you may be trying to do some sort of odd redirect that is causing the 403 error because the redirect is seen as an RFI hacking attempt. I could be wrong, but that is the first possibility to eliminate. The other possibilities are that you are doing some sort of forwarding or redirects somewhere else that are causing the URL to be redirected more than once.
AITpro AdminKeymasterYes, that was the test PayPal transaction that I did. The Security Log entry does not really tell you what the root problem is because the problem is happening outside of your website or some odd control panel setting or some fubar htaccess redirect code or your PayPal settings are fubar.
Rob BParticipantReturn url;
https://steelvilleartscouncil.org/art/thank-you-for-your-purchase/
So nothing there, also this is for successful payments.
Looking more.
AITpro AdminKeymasterPlease post the PayPal URL for failed or cancelled transactions. The BPS 403 error is “after the fact” since the problem is occurring during the redirect back from PayPal on errors or failed transactions. Successful PayPal transactions appear to be fine. So yeah that is where you need to start troubleshooting this PayPal settings problem. My guess is that you have some sort of RFI URL redirect issue going on.
Rob BParticipantYes we are on the same page.
I will be looking for the failed transaction redirect.
-
AuthorPosts
- You must be logged in to reply to this topic.