The &hash= is triggering the vulnerability-probing-detection code, and getting blocked. Ask the payment gateway service for some other way to pass that parameter.