Reputation: 346
403 Forbidden when using specific parameter value in Rest URL
I have an API that I created that's been working fine for me and my users for years. You can use it to query something called "Card Sets" like so:
https://db.ygoprodeck.com/api/v7/cardinfo.php?&cardsetocg=Metal%20Raiders
You can then use a URL encoded ; to search multiple ones, like so:
https://db.ygoprodeck.com/api/v7/cardinfo.php?&cardsetocg=Metal%20Raiders%3BMagic%20Ruler
We have a new set called Selection 10 that is for some reason causing issues. We never had issues with the other 800+ ones.
Calling it alone works:
https://db.ygoprodeck.com/api/v7/cardinfo.php?&cardsetocg=Selection%2010
Calling it with any other set causes 403 forbidden:
https://db.ygoprodeck.com/api/v7/cardinfo.php?&cardsetocg=Metal%20Raiders%3BSelection%2010
No other set causes this forbidden error. I have re-created the API in a separate file structure with a different .htaccess file and the issue persists.
Server Information:
- Apache CENTOS 7.9
- PHP 7.2
.htaccess contents:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^/]+)/$ $1.php
RewriteRule ^([^/]+)/([^/]+)/$ /$1/$2.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !(\.[a-zA-Z0-9]{1,5}|/)$
RewriteRule (.*)$ /$1/ [R=301,L]
ErrorDocument 404 /not-found.php
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
<FilesMatch "service-worker\.(js)$">
Header set Cache-Control "max-age=2419200, public, must-revalidate"
</FilesMatch>
<filesMatch "\.( jpg|jpeg|gif|png|ico|js)$">
Header set Cache-Control "max-age=2419200, public, must-revalidate"
</filesMatch>
<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 70.24.57.210
deny from 204.14.239.137
EDIT: Swapping the two parameter values around seems to make it work but isn't a solution or doesn't make me aware of the problem.
https://db.ygoprodeck.com/api/v7/cardinfo.php?&cardsetocg=Selection%2010%3BMetal%20Raiders
Upvotes: 3
Views: 1430
Answers (1)
Reputation: 346
Turns out it was triggering the modsecurity server firewall.
It was being detected as a SQL injection attack due to this part in the URL:
;Select
In hindsight, it does make sense why that would be blocked and why leading with Selection seems to have been ok.
Upvotes: 3
Related Questions
- PHP CURL returns Invalid Parameters but works with FORM method
- codeigniter rest server POST "not allowed", but GET works fine
- im getting Error response as 405 Method Not Allowed
- PHP: Url as parameter
- PHP API not working in REST implementation
- 403 Forbidden when passing URL in GET variable
- 403 Forbidden on PHP page called with url encoded in a $_GET parameter
- unable to get $_REQUEST value in php
- API Explorer not using URL parameters
- REST with PHP, how to choose query string