Attacked by “card testing” – “origin unknown”

The solution if you don’t want to block the entire woocommerce rest api is to edit the plugin itself and disable auto update for Woocommerce Paypal plugin and change the code in this directory. 

\woocommerce-paypal-payments\modules\ppcp-button\src\Endpoint\CreateOrderEndpoint.php … at the beginning of this function

    private function create_paypal_order( \WC_Order $wc_order = null, string $payment_method = '', array $data = array() ): Order {

       // Check origin source from session


if (!isset($_COOKIE['sbjs_first'])) {
      throw new RuntimeException(
        __('Order creation failed: Origin source is required.', 'woocommerce-paypal-payments')
    );

}
    assert( $this->purchase_unit instanceof PurchaseUnit );

This throw an exception if the origin is unknown, this is a temporary fix. You can check other cookies that relate to the origin source to harden the condition. The only change is this part below

if (!isset($_COOKIE['sbjs_first'])) {
      throw new RuntimeException(
        __('Order creation failed: Origin source is required.', 'woocommerce-paypal-payments')
    );

}

• This reply was modified 2 months, 3 weeks ago by johnteey.

We get plenty of legit orders with an unknown source origin due to cookie blocking or privacy blocking settings esp on mobile, so you could be impacting direct revenue. Thats why we cannot use a solution like that, not to mention editing the plugin directly preventing you from updating will put you out of PCI Compliance should another vulnerability come up while we wait for PayPal to update this issue.

The solution I provided above doesnt block the entire API as other solutions have provided but instead prevents the bot from grabbing the catalog as JSON response and as a result the bot process dies because it doesnt have a sku to continue. This has completely stopped the bot orders for us without impacting real customers or functionality.

@rprentice84 I understand that disabling auto update is not the best, we will update the plugin manually and add the code manually until the plugin creator provides a solution. If the bot creator downloads the catalog manually and feed the bots the exploit will still work. But so far your solution is better than editing the plugin manually

The wc_endpoint function seams to have stopped the attacks here (not v1), so many thanks for that.?@denialdesign

I’ve never seen a legitimate order with ‘unknown’ attribution. But it’s not a big store.

Glad to see devs are working on a solution for this.. ty

The workaround had been working fine, until today.. had a bunch of card testing failed orders.

I’ve updated to the latest WooCommerce and PayPal Payment plugins, will see if that helps…

@sonic1243 sorry to hear that. We haven’t had the card testing return yet. Fingers crossed that the updates helped for you.

It’s gone quiet again here, for 4 weeks .. so… will mark it resolved for now. TY ??