WAF rules stopped working

Hey, guys. Security >> WAF rules stopped working
Previously created rules for certain URLs to let them through despite other rules and the anti-bot feature. This was necessary for payment systems, which sent the site information about the payment and payment confirmation. These rules worked fine. And now the rules stopped working, because “Bot Fight Mode” stopped letting such requests through despite the “Skip” rules. What kind of innovation is this and how can it be fixed? Will disabling the “Bot Fight Mode” feature help?

This rule worked great before, but now it doesn’t work.
Skip >> (http.request.uri contains “/billing.html”) or (http.request.uri.path contains “/pay/handler”)

Hey,

Thanks for asking.

May I ask if the BFM is enabled or disabled, while you’re having these WAF rules enabled? :thinking:

Sounds to me like you’re skipping the security check and allowing the possible “bad requests” from bots and scrapers to come to the /billing.html page and execute something on the /pay/handler? That’s not so great, if true.

Could be I am wrong, however, may I ask if you could describe a bit more in next reply?

May I also ask what are you trying to achieve?

Asking so we could provide more useful solution using WAF and other security options available to you, even like Rate Limiting Rules, if so.

What is BFM?

Are there any other options if you need to receive a GET request with payment confirmation? I am not a developer of payment systems, but they all more or less work the same. You send the user to the payment system, he makes a payment there, the payment system sends a GET or POST request to the site confirming the payment. It is worth noting that each payment system gives you a secret key for such purposes. So even if bots attack this handler and do not know the secret key, requests will simply be rejected.
In case of notification of a successful payment from the payment system, Cloudflare regards such a request as “Bot Fight Mode” and issues the code 403 Forbiden. Naturally, the payment does not complete successfully; the user spent money but did not receive anything in return. We are starting to deal with payments, which is not very cool. After all, everything should work automatically.

I have currently tracked the IP servers of the payment systems from which the requests are coming. I added these IPs to the allow list. It’s working so far. But it worked fine according to the rules. IPs tend to change, for example, when the server changes. Why did the rules stop working?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.