Thousands of posts to /?wc-ajax=checkout

  • Resolved Jason

    (@galapogos01)


    4 years, 3 months ago

    Today I noticed my web server was running a bit slower than usual. What I found was repeated posts from the same IP to /?wc-ajax=checkout

    Looking at the post requests captured by my firewall, they appeared to be using Braintree plugin to try literally thousands (16,000 posts) of credit cards to make a payment. Sure enough, there was an order in my system with thousands of failed payment notes on it.

    Is this something the plugin should be more proactively blocking?

Viewing 10 replies - 1 through 10 (of 10 total)

  • Hi @galapogos01,

    Thanks for reaching out about our Braintree for WooCommerce gateway! I’ll be happy to help.

    While the plugin does not contain fraud protection functionality within itself, it does allow you to take advantage of the fraud protection features offered by Braintree. You can choose whether you’d like to use the basic tools that are enabled by default or the mode advanced options (which you’ll need to configure in your Braintree account) within the plugin settings.

    These will not prevent the transaction from being attempted in the first place (meaning that it will be sent to Braintree), but Braintree’s fraud protection should help greatly reduce the number of fraudulent orders that are actually processed.

    Regarding these attempts slowing down the server, I’m afraid that there would not be anything within the plugin that would be able to block these repeated attempts. I did a quick search to see if I could find any third-party plugins that would help with this on the WooCommerce side, and I came across this one that looks like it might be helpful.

    We have had a few other users ask about implementing some checks on the WooCommerce side before the transaction is sent to the gateway, and we are tracking an internal feature request for this. Although I cannot guarantee if/when this might be added to the plugin, our products team does take these requests into consideration when planning future development efforts.

    I’m sorry that I don’t have a more straightforward solution for you on this! Is there anything else that I can help with for now?

    Thanks,

    Jennifer

    Thread Starter Jason

    (@galapogos01)

    Thanks for the detailed response, Jennifer!

    Can we please keep this ticket opened until that feature is delivered. Ideally the plugin should be using some kind of nonce / secret to prevent a bot from being able to script thousands of calls to Braintree. I am a little shocked that Braintree would release a plugin so readily abused.

    I note that there are others reporting similar behaviour so clearly this hole is known by fraudsters and is being actively used at the moment.

    Cheers,
    Jason

    Hi @galapogos01!

    I’m afraid that I don’t have any details on if / when this will be added to the core plugin. We typically automatically resolve threads here after two weeks of inactivity to keep things organized; however, the best way to find out about new features being released is to subscribe to our newsletter.

    We are tracking this request internally though, so our team will take this into consideration when planning our plugin roadmap. Please don’t hesitate to reach out if there is anything else that we can help with in the meantime. ??

    Thanks,

    Jennifer

    Thread Starter Jason

    (@galapogos01)

    Thanks; I will keep checking on this thread as I do not really want to be waiting months for this.

    Cheers,
    Jason

    Hi @galapogos01,

    I certainly understand – unfortunately I cannot make any guarantees on if any new fraud protection features will be added in the near future, though our team does take these review and consider feature requests like this when planning upcoming plugin updates. If something like this is added at some point, the best place to find out about it would be the newsletter, as updates are not typically posted here in the thread where the request was made.

    With that being said, please don’t hesitate to reach out here or in a new thread if there is anything else that we can help with in the meantime. ??

    Thanks,

    Jennifer

    Hey @galapogos01,

    It has been a long time since we heard from you, so I’m going to mark this topic as resolved.

    If you’re still experiencing issues please take a look at our documentation for more information and create a new thread if you have further questions.

    Thanks,
    Tamara ??

    Thread Starter Jason

    (@galapogos01)

    Sorry but there has not been any resolution provided! Why are you closing this?

    Hi 2galapogos01,

    My apologies for the mixup!

    We typically track feature requests internally and mark threads as resolved when we’ve answered all immediate questions and ask our users to subscribe to our newsletter or watch out for plugin updates to see if requested features have been released.

    Although the thread is marked as resolved, you will still be able to post further questions here if you’d like. Additionally, you can create a new thread if you are unable to post updates here.

    Thanks,
    Tamara ??

    Thread Starter Jason

    (@galapogos01)

    Can you just unmark it as resolved pleased? It’s not resolved as we have discussed.

    Hey @galapogos01,

    So sorry about that. Though the feature requested has not been implemented, the question posed here has been addressed. I’m sorry that we don’t have better news here at this time, but our engineers are aware of the request we’ll look to add some additional protection in upcoming releases.

    Although the thread itself has been marked as resolved, you are still welcome to post further questions here. Additionally, you can create a new thread anytime, as newer threads tend to be more visible anyway, both for us and for the general community to jump in and help with as well.

    Cheers,
    Marcus

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Thousands of posts to /?wc-ajax=checkout’ is closed to new replies.