[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
Peter Westwood
peter.westwood at ftwr.co.uk
Sat Mar 3 12:03:06 GMT 2007
Mark Jaquith wrote:
> On Mar 2, 2007, at 8:13 PM, Robert Deaton wrote:
>
>> Sooner or later, you'll look at what the vulnerabilities actually are
>> and realize that this whole discussion really has nothing to do with
>> the vulnerabilities at hand. Regardless of POST or GET, these
>> vulnerabilities would have existed. POST is NOT a form of protection
>> against XSS, CSRF, etc. in any way, and more importantly these
>> vulnerabilities can be exploited through POST, for example when
>> writing a new post/page, the same lack of sanitization exists.
>
> Underline. Highlight. Gold star.
>
> This comes up again and again. POST does not protect against CSRF.
> POST cannot constitute verification of intention because people can
> force you to POST (JavaScript) or trick you into POSTing. Nonces exist
> to protect against CSRF, against unintentional authorized actions. They
> verify intention, because they pass along a piece of information that
> you'd only have if you were making the request from an authorized page.
>
> Nonces are here to stay. For GET and POST alike.
>
> For more on Nonces any why they are necessary, read:
>
> http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/
>
+1 The exact point I tried to make further back up this thread!
westi
--
Peter Westwood
http://blog.ftwr.co.uk
More information about the wp-hackers
mailing list