WooCommerce v3 API Blocked as “Hacker:

  • Resolved smissingham

    (@smissingham)


    3 years, 2 months ago

    I am getting the following error in the system log (and api failures) when trying to update products with the woocommerce v3 rest API.

    If I disable the Root Folder BulletProof Mode (RBM) protection, the API works fine.
    I have not been able to figure out how to whitelist the IP’s from which I want to make the API calls

    [403 GET Request: January 10, 2022 - 11:25 am]
BPS: 
WP: 5.8.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 
Host Name: XXXXXXXXXXXXXXXXXXX
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-json/wc/v3/products?per_page=5&sku=12112019%20MAPS3YR%20BENDIGO%20AND%20ADELAIDE,18062020%20MAPS5YRS%20ABORIGINAL%20LEGAL%20SERVI,20122019%20MAPS5YR%20O%27CONNOR%20INVESTMENTS,BB0250%20HWMA%20230420
QUERY_STRING: per_page=5&sku=12112019%20MAPS3YR%20BENDIGO%20AND%20ADELAIDE,18062020%20MAPS5YRS%20ABORIGINAL%20LEGAL%20SERVI,20122019%20MAPS5YR%20O%27CONNOR%20INVESTMENTS,BB0250%20HWMA%20230420
HTTP_USER_AGENT:
Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter smissingham

    (@smissingham)

    Something else strange, all of those HTTP_ headers really are empty, I only redacted the HostName header

    Plugin Author AITpro

    (@aitpro)

    The Header Fields being blank is not a problem due to way the Request is being done. What is being blocked in the Query String is the single quote code character here: O%27CONNOR = O’CONNER. The single quote code character should not be used/allowed in Query Strings since it is one of the most dangerous code characters.

    Recommendation if possible: Remove the single quote code character: OCONNER.

    If that is not possible then do these steps:
    1. Copy the modified BPS Query String Exploits code below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    Important Note: If you have existing htaccess code in this Custom Code text box then overwrite the existing htaccess code with this new htaccess code.
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Setup Wizard page and run the Setup Wizard.

    Note: It is safe to comment out this general security rule because there is an additional security rule that will still protect against SQL Injection attacks.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker. 
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
#RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS
    Plugin Author AITpro

    (@aitpro)

    Is the issue/problem still occurring or is it resolved?

    Plugin Author AITpro

    (@aitpro)

    Assuming all questions have been answered – the thread has been resolved. If the issue/problem is not resolved or you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.

    Thread Starter smissingham

    (@smissingham)

    Sadly I can’t avoid quotes in these URL’s as products genuinely have these characters in their names.

    I already have a very strict firewall rule for access to /wp-json/ endpoint, so I am reasonably confident that is not a security problem.

    That custom .htaccess code appears to be working, thank you for your awesome support!

    I am getting a similar issue, although I don’t see any special characters in the request.

    [403 GET Request: May 9, 2022 - 1:55 pm]
BPS: 6.1
WP: 5.9.3
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 3.105.28.25
Host Name: ec2-3-105-28-25.ap-southeast-2.compute.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-json/wc/v3/orders?status=processing&per_page=99
QUERY_STRING: status=processing&per_page=99
HTTP_USER_AGENT: curl/7.68.0
    Plugin Author AITpro

    (@aitpro)

    The User Agent is being blocked. Do the steps in this forum topic to fix this > https://forum.ait-pro.com/forums/topic/error-403-de-server/#post-32942

    Thankyou for your fast response! This resolved my issue.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘WooCommerce v3 API Blocked as “Hacker:’ is closed to new replies.