Oops! We ran into some problems. Please try again later. More error details may be in the browser console.

[+ stevenkesslar]

@RadioRob occasionally since the site was moved I get this message which I never got before when I try to post something.

 

Oops! We ran into some problems. Please try again later. More error details may be in the browser console.

 

I have no idea what it means. Do you? I'm not even sure what "details may be in the browser console" refers to.

 

It seems like it happens if I leave something I have not posted yet open on a browser. I know the software saves unposted text for a while because sometimes I might draft something one day and post it the next. So I might type a few paragraphs, then go to find some poll that supports what I said. And then do the same thing again in a later paragraph. So the draft post has been up on my screen for a while, but I have not hit "post thread." When I do hit "post thread" now I sometimes get that error message above. If I then refresh my screen I will see a draft version of what I have typed that was saved at some point along the way. But it's not all the text I had typed before I hit "post." So I can hit "post" and the partial text that was saved by the software at some point will post correctly. But then if I try to edit that post and add the rest of the text it gives me the same error message above. It seems to have something to do with how a draft post that has not been posted to the site yet is saved on the system.

 

Do you have any idea why this happens and how I can avoid it?

 

Thanks.

[RadioRob]

I looked up your IP address from your post above and plugged it into the firewall protecting the site/server. I'm seeing a bunch of instances where the firewall is flagging the request as malicious. It looks like it's flagged 56 requests for you as suspect in the last 24 hours. An example in the logs:

 

Ray ID

64ef50720bad3631

Method: POST

HTTP Version: HTTP/3

Host www.companyofmen.org

Path /posts/2122004/edit

Query string Empty query string

User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Service WAF

Rule ID OWASP Block (981176)

Rule message Inbound Anomaly Score Exceeded

Rule group OWASP Inbound Blocking

OWASP Score 85

Action taken Challenge

Additional logs

 

[TABLE]

[TR]

[TD]960024 · Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters[/TD]

[TD]OWASP Generic Attacks[/TD]

[TD]Log[/TD]

[/TR]

[TR]

[TD]981317 · SQL SELECT Statement Anomaly Detection Alert[/TD]

[TD]OWASP SQL Injection Attacks[/TD]

[TD]Log[/TD]

[/TR]

[TR]

[TD]959072 · SQL Injection Attack[/TD]

[TD]OWASP SQL Injection Attacks[/TD]

[TD]Log[/TD]

[/TR]

[TR]

[TD]981257 · Detects MySQL comment-/space-obfuscated injections and backtick termination[/TD]

[TD]OWASP SQL Injection Attacks[/TD]

[TD]Log[/TD]

[/TR]

[/TABLE]

 

What I've done for now is lowered the firewall sensitivity settings to see if that quits catching the false positive. If it still frequently seems to occur, let me know, as I'll have to create a specific rule to disable SQL injection protections for the post edit path (/posts/{id}/edit).

 

See?!? Even the firewall knows how much of a troublemaker you are!

[+ stevenkesslar]

I looked up your IP address from your post above and plugged it into the firewall protecting the site/server. I'm seeing a bunch of instances where the firewall is flagging the request as malicious. It looks like it's flagged 56 requests for you as suspect in the last 24 hours. An example in the logs:

 

Ray ID

64ef50720bad3631

Method: POST

HTTP Version: HTTP/3

Host www.companyofmen.org

Path /posts/2122004/edit

Query string Empty query string

User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Service WAF

Rule ID OWASP Block (981176)

Rule message Inbound Anomaly Score Exceeded

Rule group OWASP Inbound Blocking

OWASP Score 85

Action taken Challenge

Additional logs

 

[TABLE]

[TR]

[TD]960024 · Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters[/TD]

[TD]OWASP Generic Attacks[/TD]

[TD]Log[/TD]

[/TR]

[TR]

[TD]981317 · SQL SELECT Statement Anomaly Detection Alert[/TD]

[TD]OWASP SQL Injection Attacks[/TD]

[TD]Log[/TD]

[/TR]

[TR]

[TD]959072 · SQL Injection Attack[/TD]

[TD]OWASP SQL Injection Attacks[/TD]

[TD]Log[/TD]

[/TR]

[TR]

[TD]981257 · Detects MySQL comment-/space-obfuscated injections and backtick termination[/TD]

[TD]OWASP SQL Injection Attacks[/TD]

[TD]Log[/TD]

[/TR]

[/TABLE]

 

What I've done for now is lowered the firewall sensitivity settings to see if that quits catching the false positive. If it still frequently seems to occur, let me know, as I'll have to create a specific rule to disable SQL injection protections for the post edit path (/posts/{id}/edit).

 

See?!? Even the firewall knows how much of a troublemaker you are!

 

Thanks Rob.

 

Some of the techno talk is lost on me, but I get the basic idea. That number 56 is surprising, because that error message I got didn't happen 56 times, or anything close. I was trying to figure out ways to cut and paste text to get it to post. So maybe once the firewall read something I did as malicious that triggered more of the same.

 

I'll do what you said and see how it goes. But based on what I said can you think of anything specific I'm doing that triggered the firewall? It doesn't happen at all if I type a one sentence post. Nor does it happen with most of my long posts. That said, I'm not the only person who types longer posts and edits them. So I'm assuming if this is an issue for me it could be for other people, whether they report it or not.

 

By the way, the problem does sort of self correct. I'll give you an example. This is very detail-oriented.

 

https://www.companyofmen.org/threads/iranian-gay-man-beheaded-by-his-family.164886/page-6#post-2122004

 

There are two posts there one after another that were originally one post. While I was typing the post I repeatedly went looking for poll data or reports I hyperlinked to back up my argument. So maybe I spent an hour on that. By the time I hit "post thread" I got the error message. So I opened another browser and maybe about one third of the entire post had already been auto saved. So I was able to post the part of the text that had already been saved, which is what you see in the first of two posts. I repeatedly tried different ways to edit that post to add the additional text, and it kept giving me that error message.

 

I then tried simply posting the rest of the text as a second post several times. That gave me the same error message, too. Since part of the error message was "please try again later" I decided to go post other stuff on other threads, which I had no problem doing. About an hour later I came back to that Iran thread. All that text I could not post an hour earlier was still there as saved text. So I hit "post thread" and it posted immediately, even though it wouldn't maybe an hour earlier. Because I cut and pasted the text it had removed the hyperlink to the Gallup survey I cited. So then I had to play around with edit to get the hyperlink back in, which I eventually did. At first I simply tried to edit and add a hyperlink, which it would not let me do. Then I edited a few spelling errors, which it would let me do. Then I tried to add the Gallup hyperlink again, and the second time it would let me do it.

 

So it does seem like a firewall issue, that only happens when it involves drafts and edits and probably has to do with frequency. As you said, I'll just see how it goes. Thanks for your help.

[RadioRob]

Remember as you’re typing, Xenforo tries to auto save every minute or so. That is done by your browser triggering a JavaScript running in your browser to capture what’s in the post buffer and submit it to the server in the background to save. The firewall does not know the difference. It just sees a request with a payload in it. So many of the 56 attempts were most likely just the auto saves. You would not have seen those attempts because they’re done in the background.

 

Regarding WHY… ultimately it’s what is known as a false positive. Meaning my settings are so high that they’re TOO sensitive. A firewall attempts to guess what is good and what is bad. Sometimes it guesses wrong and catches a good guy by mistake. That’s what makes it a “false positive”. You’re not doing anything wrong yourself. You’re just posting and interacting with the site. The fix is on me to figure out how to adjust the sensitivity settings so they’re strong enough to stop bad attempts but not so strong as to block legitimate requests as well.

 

In an ideal world, this tuning process would have occurred over a period of a few months. Because of Daddy’s death, we did not have the luxury of time. We had to move fast and put things in place as we went. While this works, it does lead to situations where there can be “collateral damage” as you don’t have multiple days/weeks to measure the impact of what settings are being put in place.

 

As you could see in this case, it was not a situation that was occurring on every request. Instead it only happened in certain situations so it would not have manifested in just a normal check of the site.

 

So just keep doing what you do. If you run into problems let me know. The more details provided, the easier it is for me to get to the root of the problem and fix it. I’ll take care of the technobabble Mr Spock geek stuff.

[RadioRob]

By the way… hyperlinks increase your chance for flagging bad rules. Hyperlinks contain items in the background such as slashes, and potentially other symbols. While it’s not against the “server rules”, a firewall will inspect them more closely.

 

Think of a security guard. If a person walks in to a store wearing a hat, it’s not necessarily suspicious. If they walk in wearing a hat, sunglasses, looking around nervously etc they might watch that person more closely.

 

Part of what I’m dialing down is the level of scrutiny around hyperlinks so the firewall is a bit less sensitive about them. (Its racially profiling them just a bit less.)

[RadioRob]

Just following up on this. Checked the firewall logs and don't see any new blocks/denies that have been logged since I made some changes.

[+ stevenkesslar]

Just following up on this. Checked the firewall logs and don't see any new blocks/denies that have been logged since I made some changes.

 

Nope. Hasn't happened again. I'll let you know if it does. Thanks Rob.