[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
elharo at metalab.unc.edu
Sat Mar 3 13:24:00 GMT 2007
Mark Jaquith wrote:
> This comes up again and again. POST does not protect against CSRF.
> POST cannot constitute verification of intention because people can
No, I don't think they can, at least not with authentication cookies
intact and the default security level in the browser. If this is wrong,
then it's a browser bug that needs to be reported and fixed.
> or trick you into POSTing.
I don't think they can trick me into POSTing. Possibly they can trick
some people. However I am worried that they can trick or force me to
GET. It's much easier to sneak a GET into the WP admin area than a POST.
Pingbacks, links in comments, probably a few other things can all put
GETtable links in front of me that look normal.
> Nonces exist
> to protect against CSRF, against unintentional authorized actions. They
> verify intention, because they pass along a piece of information that
> you'd only have if you were making the request from an authorized page.
In other words it's a somewhat less spoofable, less blockable referer
header. That's actually the clearest definition I've heard yet. Thanks.
It may be reasonable to have both, especially if you believe it is
possible to trick some people into POSTing. (That's probably the case.)
However nonces are not a full solution either. They have failed to
protect WordPress from some of the vulnerabilities uncovered in the last
few months. They do nothing to avoid the problem of a web accelerator
prefetching links, and they may be stealable from code that sneaks
inside the admin interface.
The bottom line is that unsafe operations should not be done without
user involvement. the way in which browsers determine what is and is not
safe is by seeing whether it's submitted with GET or POST. Browsers and
other tools are entitled to assume that all GET operations are safe.
When a system violates these assumptions, serious problems ensue. These
problems are mitigated in part only because some tools sometimes take
extra steps to work around broken, non-conformant servers like
WordPress. However those workarounds are fragile. They will and do fail.
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
More information about the wp-hackers