[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
peter.westwood at ftwr.co.uk
Sat Mar 3 12:03:06 GMT 2007
Mark Jaquith wrote:
> On Mar 2, 2007, at 8:13 PM, Robert Deaton wrote:
>> Sooner or later, you'll look at what the vulnerabilities actually are
>> and realize that this whole discussion really has nothing to do with
>> the vulnerabilities at hand. Regardless of POST or GET, these
>> vulnerabilities would have existed. POST is NOT a form of protection
>> against XSS, CSRF, etc. in any way, and more importantly these
>> vulnerabilities can be exploited through POST, for example when
>> writing a new post/page, the same lack of sanitization exists.
> Underline. Highlight. Gold star.
> This comes up again and again. POST does not protect against CSRF.
> POST cannot constitute verification of intention because people can
> to protect against CSRF, against unintentional authorized actions. They
> verify intention, because they pass along a piece of information that
> you'd only have if you were making the request from an authorized page.
> Nonces are here to stay. For GET and POST alike.
> For more on Nonces any why they are necessary, read:
+1 The exact point I tried to make further back up this thread!
More information about the wp-hackers