[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Mark Jaquith mark.wordpress at txfx.net
Sat Mar 3 05:46:15 GMT 2007

On Mar 2, 2007, at 8:13 PM, Robert Deaton wrote:

> Sooner or later, you'll look at what the vulnerabilities actually are
> and realize that this whole discussion really has nothing to do with
> the vulnerabilities at hand. Regardless of POST or GET, these
> vulnerabilities would have existed. POST is NOT a form of protection
> against XSS, CSRF, etc. in any way, and more importantly these
> vulnerabilities can be exploited through POST, for example when
> writing a new post/page, the same lack of sanitization exists.

Underline.  Highlight.  Gold star.

This comes up again and again.  POST does not protect against CSRF.   
POST cannot constitute verification of intention because people can  
force you to POST (JavaScript) or trick you into POSTing.  Nonces  
exist to protect against CSRF, against unintentional authorized  
actions.  They verify intention, because they pass along a piece of  
information that you'd only have if you were making the request from  
an authorized page.

Nonces are here to stay.  For GET and POST alike.

For more on Nonces any why they are necessary, read:


Mark Jaquith

Covered Web Services

More information about the wp-hackers mailing list