Update woocommerce thankyou page based on API request result

I create a custom woocommerce payment gateway plugin. First, I call an API, I take the formUrl from the response result then I redirect users to this payment form. At this step everything is Ok.

After the user enter his credit cards info and click validate the system redirect him to the default "order-received" page.

Before loading this page, I want to call another API to check the payment status, if the response body has the orderStatus== 1: I want to show the description in the response body (description = "Request processed successfully"), I reduce order stock, I update the status of order then I display the Order details. If the orderStatus == 2: I want to change the order status to ‘failed’ manually to show the default woocommerce-thankyou-order-failed message (”Unfortunately your order cannot be processed…") in the file thankyou.php or I just show a simple error payment message in this case.

In the payment class constractor I tried adding: add_action( ‘woocommerce_thankyou’, ‘thank_you_page’, 20, 1 ); but I dont know how to add my custom function or how to adapt this requirement.

My plugin looks like this one : https://github.com/YTTechiePress/custom-woocommerce-payment-gateway/blob/master/lesson-1/noob-payment-for-woocommerce.php

DBC error: unknow reply: unable to complete request

I have been using the deathbycaptcha service perfectly for weeks, however, today I get the following error:
my credentials are ok, I have verified them several times, I have a balance in the platform and I have even recharged more credits, I have restarted my PC and nothing, I still get the message and it is not active, is it deathbycaptcha error or some GSA bug? any solution? 

Trying to run a add_action within a function to run a woocomerce function on a ajax request

I am able to get a ajax request to work properly on a woocommerce checkout form page, now I want to update the price of the checkout in that ajax request. My add_action is in the function that is fired by the ajax request.

This is all done in a custom plugin as well

Here is my code this far, it doesn’t seem like the function request_gift_card ever fires

 function gift_card_redeem(){      if(!empty($  _SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($  _SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {     error_log("test !empty");          add_action( 'woocommerce_before_calculate_totals', 'request_gift_card', 99 );      function request_gift_card($  cart_object){       if( !WC()->session->__isset( "reload_checkout" )) {           /* Gift wrap price */           $  additionalPrice = 5;           error_log($  cart_object);           foreach ( $  cart_object->cart_contents as $  key => $  value ) {               if( isset( $  value["embossing_fee"] ) ) {                   // Turn $  value['data']->price in to $  value['data']->get_price()                   $  orgPrice = floatval( $  value['data']->get_price() );                   $  discPrice = $  orgPrice + $  additionalPrice;                   $  value['data']->set_price($  discPrice);               }           }       }     }      $  result['type'] = "success";     $  result = json_encode($  result);     echo $  result;   }   else {     error_log("test else");       header("Location: ".$  _SERVER["HTTP_REFERER"]);   }    die(); } 

what wrong am i doing with SOAP request, getting error invalid timeout formats [closed]

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><SecurityHeader xmlns="http://services.medconnect.net/submissionportal"><UserName>2143883</UserName><Password><![CDATA[I3zt!7&W]]></Password></SecurityHeader></soap:Header><soap:Body><SubmitSync xmlns="http://services.medconnect.net/submissionportal"><request><![CDATA[ISA*00*          *00*          *ZZ*EXPEDIUM       *30*204202692      *200904*0419*^*00501*007281118*0*P*:~GS*HS*EXPEDIUM*204202692*20200904*0419*7281119*X*005010X279A1~ST*270*007281120*005010X279A1~BHT*0022*13*7281120*20200904*0419~HL*1**20*1~NM1*PR*2*BCBS OF NORTH CAROLINA*****PI*10383~HL*2*1*21*1~NM1*1P*2*BEAUFORT COUNTY HEALTH DEPARTMENT*****XX*1679576763~REF*TJ*566001521~PRV*PE*PXC*261QP0905X~HL*3*2*22*0~TRN*1*1013076869*9919649646~NM1*IL*1*BROWN*JEAN*M***MI*KBOW1747326401~REF*SY*141117752~DMG*D8*19650504*F~DTP*291*D8*20200904~EQ*30~SE*16*007281120~GE*1*7281119~IEA*1*007281118]]></request><requestFormat>EDI</requestFormat><responseFormat>EDI</responseFormat><synchronousTimeout>00:01:00</synchronousTimeout><submissionTimeout>00:01:00</submissionTimeout></SubmitSync></soap:Body></soap:Envelope>  Response ----------- <faultstring>Invalid Timeout Format: , Valid Format: d.hh:mm:ss, Note: Hours &lt;= 23, Minutes &lt;= 59, Seconds &lt;= 59</faultstring>  please advise on this 

No route was found matching the URL and request method. I don’t understand where the problem is

When I send parameters, I get this: No route was found matching the URL and request method.

/**   * Add json data on plugin.  *   * */ add_action('rest_api_init', 'register_api_hooks'); function register_api_hooks() {   register_rest_route(     'passwordless_register/v0', '/register/(?P<name>[a-zA-Z0-9-]+)/(?P<email>[a-zA-Z0-9-]+)/?aam-jwt=(?P<token>[a-zA-Z0-9-]+)',     array(       'methods'  => 'POST',       'callback' => 'wc_rest_user_endpoint_handler',     )   ); }  /**  * Register a new user  *  * @param  WP_REST_Request $  request Full details about the request.  * @return array $  args.  **/ function wc_rest_user_endpoint_handler($  request) {   $  request = new WP_REST_Request( 'POST', 'passwordless_register/v0/register/(?P<name>[a-zA-Z0-9-]+)/(?P<email>[a-zA-Z0-9-]+)/?aam-jwt=(?P<token>[a-zA-Z0-9-]+)' );   $  username = $  request['name'];   $  email = $  request['email'];   $  response = array();   $  error = new WP_Error();   if (empty($  username)) {     $  error->add(400, __("name field 'username' is required.", 'wp-rest-user'), array('status' => 400));     return $  error;   }   if (empty($  email)) {     $  error->add(401, __("Email field 'email' is required.", 'wp-rest-user'), array('status' => 400));     return $  error;   }   $  user_id = username_exists($  username);   if (!$  user_id && email_exists($  email) == false) {       $  password = wp_generate_password( 20, false );     $  user_id = wp_create_user($  username, $  password, $  email);     if (!is_wp_error($  user_id)) {       // Ger User Meta Data (Sensitive, Password included. DO NOT pass to front end.)       $  user = get_user_by('id', $  user_id);       // $  user->set_role($  role);       $  user->set_role('subscriber');       // WooCommerce specific code       if (class_exists('WooCommerce')) {         $  user->set_role('customer');       }       // Ger User Data (Non-Sensitive, Pass to front end.)       wp_nonce_field( 'wpa_passwordless_login_request', 'nonce', false );       $  unique_url = wpa_generate_url( $  email , $  nonce );       $  response['code'] = 200;       $  response['message'] = __("User '" . $  username . "' Registration was Successful", "wp-rest-user");       $  response['mail'] = __("Mail '" . $  email . "' Registration was Successful", "wp-rest-email");       $  response['password'] =  __("Pass '" . $  password . "' Registration was Successful", "wp-rest-pass");       $  response['url'] =  __("Link '" . $  unique_url . "' Registration was Successful", "wp-rest-url");     } else {       return $  user_id;     }   } else {     $  error->add(406, __("Email already exists, please try 'Reset Password'", 'wp-rest-user'), array('status' => 400));     return $  error;   }   return new WP_REST_Response($  response, 123);           } add_action( 'after_setup_theme', 'passwordless_register/v0' ); 

HTTP Request Smuggling Basics

I am currently trying to learn HTTP Request Smuggling vulnerability to furthermore enhance my pen testing skill. I have watched a couple of videos on Youtube and read articles online regarding it but still have a couple of questions in mind. Question:

  • What are the attack vectors of HTTP Req Smuggling (Where should I look)?
  • What is the main way to provide PoC to companies with high traffic? I know that HTTP Smuggling could possibly steal people’s cookie, can this be used for the PoC or is this illegal?
  • Can this or other vulnerability be chained together? (e.g. self-xss & csrf)

Thank you everyone!

Information exposure through query strings in url of a POST request [duplicate]

I can’t seem to find any information online for when there is information exposure through query strings in URL of a POST request.

I understand it is an issue for when it’s sent in HTTP GET. Wondering if it would still be an issue for when it’s sent in POST?

e.g.

POST /api/view?username=USER 

Weird GET request on internet facing Nginx

I spun up an internet facing nginx server in AWS and the logs started showing weird get requests with a search engine’s spider as user agent.

172.31.43.193 - - [19/Aug/2020:20:09:19 +0000] "GET /rexcategory?categoryCodes=SHPCAT33&t=1360657001168 HTTP/1.1" 404 153 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" "49.7.20.159"  2020/08/19 20:08:39 [error] 29#29: *14 open() "/usr/share/nginx/html/eyloyrewards/category" failed (2: No such file or directory), client: 172.31.43.193, server: localhost, request: "GET /eyloyrewards/category?categoryCode=SHPCAT118&t=1314948609334 HTTP/1.1", host: "www.rewards.etihadguest.com"  172.31.43.193 - - [19/Aug/2020:20:08:39 +0000] "GET /eyloyrewards/category?categoryCode=SHPCAT118&t=1314948609334 HTTP/1.1" 404 153 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" "49.7.20.159" 

The domain mentioned in the second line does not belong to me. What is the meaning of these logs? Is my server being used to attack the mentioned domain, "www.rewards.etihadguest.com" ?

I am seeing ICMP type 3 error message from my firewall logs. However , I am unable to find the original request sent to that external IP [closed]

No matching connection for ICMP error message: icmp src inside: X.X.X.98 dst outside: X.X.X.11 (type 3, code 2) on inside interface. Original IP payload: udp src X.X.X.11/53 dst X.X.X.98/52906.

Can somebody please help me understand the cause.

Transformation of an object into parameter value on submission of request

Today I saw rather a weird phenomeon, when submitting a request spontaneoulsy.

The URL I typed looked something like below:

https://example.com/en/trade/pro?layout= and when submitted it transformed into https://example.com/en/trade?layout=pro

If I correctly perceived that the pro object moved to a value of layout (if not just visually).

It didn’t work for https://example.com/en/trade/test?layout= and when submitted should transform into https://example.com/en/trade?layout=test, that didn’t work.

It did only work for the pro object.

Is this a behavior made by developers of the site or could this eventually lead to something interesting?