[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
Mark Jaquith
mark.wordpress at txfx.net
Sat Mar 3 05:46:15 GMT 2007
On Mar 2, 2007, at 8:13 PM, Robert Deaton wrote:
> Sooner or later, you'll look at what the vulnerabilities actually are
> and realize that this whole discussion really has nothing to do with
> the vulnerabilities at hand. Regardless of POST or GET, these
> vulnerabilities would have existed. POST is NOT a form of protection
> against XSS, CSRF, etc. in any way, and more importantly these
> vulnerabilities can be exploited through POST, for example when
> writing a new post/page, the same lack of sanitization exists.
Underline. Highlight. Gold star.
This comes up again and again. POST does not protect against CSRF.
POST cannot constitute verification of intention because people can
force you to POST (JavaScript) or trick you into POSTing. Nonces
exist to protect against CSRF, against unintentional authorized
actions. They verify intention, because they pass along a piece of
information that you'd only have if you were making the request from
an authorized page.
Nonces are here to stay. For GET and POST alike.
For more on Nonces any why they are necessary, read:
http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/
--
Mark Jaquith
http://markjaquith.com/
Covered Web Services
http://coveredwebservices.com/
More information about the wp-hackers
mailing list