Booster for WooCommerce – POST 403 error

Home Forums BulletProof Security Pro Booster for WooCommerce – POST 403 error

This topic contains 8 replies, has 2 voices, and was last updated by  James 1 year, 3 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #32330

    James
    Participant

    Hi guys,

    Could you please suggest the best way to add a whitelisting rule to prevent the 403 errors shown below when using the Booster for WooCommerce plugin please?  In particular it is the “WooCommerce Prices and Currencies by Country” and the error occurs when trying to switch the country (using the dropdownlist supplied with the plugin).  Strangely though it only seems to happen on the shop homepage, and not if the country selection is done on any other page.

    See plugin info here: https://booster.io/features/woocommerce-prices-and-currencies-by-country/

    [403 POST Request: February 3, 2017 - 11:11 pm]
    BPS Pro: 12.6
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 58.182.129.248
    Host Name: 248.129.182.58.starhub.net.sg
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 58.182.129.248
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER: https://mysite.com/
    REQUEST_URI: /
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
    REQUEST BODY: wcj-country=DE

    This is my POST Request Attack Protection root htaccess code:

    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    # Whitelist wp-load.php, needed for ManageWP?
    # RewriteCond %{REQUEST_URI} !^.*/wp-load.php [NC]
    # Whitelist ManageWP POST Request to wp-load.php by Query String
    RewriteCond %{QUERY_STRING} !^mwprid=(.*) [NC]
    RewriteRule ^(.*)$ - [F]

    Many thanks, James

    #32331

    AITpro Admin
    Keymaster

    You can try and whitelist the “shop” URI, but the REQUEST_URI: / means that this WooCommerce extension is sending a POST Request to your root URL|URI = /, which is the exact same thing that hackers do with POST Request Attacks.  I don’t see anything unique that can be whitelisted like a Query String.  I downloaded the Booster for WooCommerce extension from the booster website so I can look at the code.  After looking at the Booster for WooCommerce extension code I will be able to tell you if there is anything you can whitelist or that you cannot use the BPS POST Attack Protection code with this extension.

    RewriteCond %{REQUEST_URI} !^.*/shop/ [NC]
    #32334

    AITpro Admin
    Keymaster

    I have tested the Booster for WooCommerce extension and I am not seeing any errors when testing the Prices and Currencies by Country dropdown list on the /shop/ test site/page.

    #32351

    James
    Participant

    Hmm, that’s odd. On your test site, is the store homepage on the root of the site (e.g. www.mystore.com) or as a subfolder (e.g. www.mystore.com/shop)? On the site that I am having problems with, the woocommerce store is the homepage of the website; there is no blog, just the store front page when you go to the root of the domain name. As the problem only occurs on my website when the country is changed on the homepage, and not when you do the same on any of the other store pages, then I wonder whether this could be the problem?

    Thanks for taking teh time to look into this for me, much appreciated 🙂

    #32352

    AITpro Admin
    Keymaster

    Ahh ok then you definitely cannot use the POST Attack Protection code.  The way the POST Attack Protection code works is that all POST Requests are blocked by default and each new line of code that you create/add is a whitelist rule to allow a POST Request to that unique/specific URI or Query String.  So by default your root site URI / blocks POST Attack Requests since 99.99% of all POST Attacks are made to your root site URI|URL by hackers.  Since I do not see any unique Query Strings that you can use to whitelist for the Prices and Currencies by Country dropdown list POST Request to your root site URL then unfortunately you cannot use the POST Attack Protection code.  If you whitelisted your root site URI|URL then that is the same things as not using the POST Attack protection code at all.

    #32353

    James
    Participant

    Thanks for confirming – that’s what I thought / feared! Probably easiest to try and hide the country switcher widget on the store / website homepage then and I will send a message to the developer to see if they can tweak the code in some way to make the request more identifiable and hence whitelist-able.

    Thank you, James 🙂

    #32535

    James
    Participant

    Just raising this with the Boost plugin developers.  Is there any info or documentation you could point me (or rather them!) too which explains how the POST request can be modified to be unique and hence identifiable and whitelist-able please?

    https://booster.io/features/woocommerce-prices-and-currencies-by-country/#comment-11364

    #32536

    AITpro Admin
    Keymaster

    This is only a general example of what the end result of the Request URI and Query String should look like and not an example of how they would actually do that in their code:  /?wc-booster=price_country or if they are using AJAX: /?wc-booster-ajax=price_country.  The whitelist rule for the POST Attack Protection code would then be able to whitelist their POST Request Query String:

    RewriteCond %{QUERY_STRING} !^wc-booster=(.*) [NC]

    or

    RewriteCond %{QUERY_STRING} !^wc-booster-ajax=(.*) [NC]

    Since the Booster plugin is a “booster” for both WooCommerce and Jetpack and both WooCommerce and Jetpack are using code that uses Query Strings in POST Requests then the simple thing for the Booster folks to do would be to look at both WooCommerce and Jetpack code that makes POST Requests using Query Strings and then use the POST Request method that either of these plugins use.

    #32539

    James
    Participant

    Thanks.  I’ll forward that across and fingers crossed they came implement something.  Cheers, James

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.