Stripe Webhook Error

Hello dear @Anton L

After successfully processing a payment on the Stripe checkout page, I am getting a 403 Forbidden error when Stripe tries to send a user back to my site in order to confirm the subscription or the purchase and update the membership in UNA.

Forbidden
You don't have permission to access this resource.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

In my stripe account (dashboard), everything looks great. The Payment was processed with success and the subscription was successfully created too. The only error I can see from the Stripe Webhooks tad is: The Webhook delivery failure for the event: invoice.payment_succeeded 

I am using Stripe 3D Secure integration. My Stripe account is set correctly: Products/subscriptions are created and the webhook is added. Same with UNA, I have entered the Public and Secret key correctly. I am in the test mode. UNA 13.1.0-Stable on a dedicated server (Apache).

After payment Stripe checkout return the following url with the 403 Forbidden error:

https://www.xxxxx.com/m/payment/subscribe_json/?seller_id=xx&seller_provider=stripe_v3&module_id=xx&item_id=x&item_count=1&item_addons=xxxxxxxxxxxxxxxxxxxxxxx=&redirect=&custom=xxxxxxxx&session_id=cs_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

After checking my server log, it looks like the 'session_id' parameter in that url is triggering my server Mod_security system. The Stripe webhook endpoint request is blocked and Stripe doesn't send back the purchase information to update the UNA system/database.

Below is my server log::

[Mon May 20 14:46:05.239706 2024] [security2:error] [pidxxxxx:tid xxxxxxxxxxxxxx] [client xxx.xx.xxx.xxx:xxxxx] [client xxx.xx.xxx.xxx] ModSecurity: Warning. Operator GEmatched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "xxxxxx"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): PossibleSession Fixation Attack: SessionID Parameter Name with Off-Domain Referer"] [tag "event-correlation"] [hostname "www.xxxxx.com"] [uri "/m/payment/initialize_checkout/single/"] [unique_id "xxxxxxxxxxxxxxxxxxxxxxxxxxx"], referer: https://checkout.stripe.com/

[Mon May 20 14:46:46.630701 2024] [security2:error] [pidxxxxx:tid xxxxxxxxxxxxxx] [client xxx.xxx.xx.xx:xxxxx] [client xxx.xxx.xx.xx] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "303"] [id "xxxxxx"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"][tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "xxx.xxxxx.com"] [uri "/"] [unique_id "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]

How to fix this problem? Please help!

Thanks

  • 783
  • More
Replies (5)
    • You will need to add a modsec exception/rule to apache mod_security module.

      If you need help with the exception/rule and UNA hasn't answered, I'll help when I get home.

      You can try commenting out that specific rule first, and see if any other modsec rules catch it. If not, then we tweak that rule or add an exception.

      • SecRule REQUEST_URI "@beginsWith /m/payment" "phase:1,id:123456,allow"
        

        This should fix your problem. Be sure it is loaded before the other rule. And 'id' can be adjusted.

        • Don't forget to restart apache 😁

          • @Wise

            I am sorry for the delay to answer you back and I thank you so much for your valuable help. It works!.

            The solution you provided fixed my problem with mod_sec.

            The modsec rule #943110 which contains the 'SessionID' was blocking the webhook API request from Stripe which also has a 'sessionid' in the url parameter as you can see in the url i shared in the post above.

            So, a Modsec exception needed to be added.

            Instead of executing command lines using SSH (which can also be done), I added that exception rule through WHM > 'ModSecurity Tools' > Rules List > Add Rule. It was more convenient.

            Also, instead of using the modsec operator: 'beginsWith' as per your suggestion like this: (which works perfectly)

            SecRule REQUEST_URI "@beginsWith /m/payment" "phase:1,id:123456,allow"
            

            I used the operator: 'contains' like this:

            SecRule REQUEST_URI "@contains /m/payment" "phase:1,id:123456,allow"
            

            The reason is because I also have some UNA dev (test) websites installed in subdirectories. The modsec operator 'contains' will also add that exception to urls like this: e.g: mysite[dot]com/subdirectory/m/payment ...

            Once again, thanks a lot for helping.

            • No problem. I don't use WHM or Cpanel, I run bare boxes with everything done manually. 😎👍

              Login or Join to comment.