[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Peter Westwood peter.westwood at ftwr.co.uk
Sat Mar 3 12:03:06 GMT 2007

Mark Jaquith wrote:
> On Mar 2, 2007, at 8:13 PM, Robert Deaton wrote:
>> Sooner or later, you'll look at what the vulnerabilities actually are
>> and realize that this whole discussion really has nothing to do with
>> the vulnerabilities at hand. Regardless of POST or GET, these
>> vulnerabilities would have existed. POST is NOT a form of protection
>> against XSS, CSRF, etc. in any way, and more importantly these
>> vulnerabilities can be exploited through POST, for example when
>> writing a new post/page, the same lack of sanitization exists.
> Underline.  Highlight.  Gold star.
> This comes up again and again.  POST does not protect against CSRF.  
> POST cannot constitute verification of intention because people can 
> force you to POST (JavaScript) or trick you into POSTing.  Nonces exist 
> to protect against CSRF, against unintentional authorized actions.  They 
> verify intention, because they pass along a piece of information that 
> you'd only have if you were making the request from an authorized page.
> Nonces are here to stay.  For GET and POST alike.
> For more on Nonces any why they are necessary, read:
> http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/

+1  The exact point I tried to make further back up this thread!

Peter Westwood

More information about the wp-hackers mailing list