[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Elliotte Harold elharo at metalab.unc.edu
Sat Mar 3 13:24:00 GMT 2007

Mark Jaquith wrote:

> This comes up again and again.  POST does not protect against CSRF.  
> POST cannot constitute verification of intention because people can 
> force you to POST (JavaScript) 

No, I don't think they can, at least not with authentication cookies 
intact and the default security level in the browser. If this is wrong, 
then it's a browser bug that needs to be reported and fixed.

> or trick you into POSTing.  

I don't think they can trick me into POSTing. Possibly they can trick 
some people. However I am worried that they can trick or force me to 
GET. It's much easier to sneak a GET into the WP admin area than a POST. 
  Pingbacks, links in comments, probably a few other things can all put 
GETtable links in front of me that look normal.

> Nonces exist 
> to protect against CSRF, against unintentional authorized actions.  They 
> verify intention, because they pass along a piece of information that 
> you'd only have if you were making the request from an authorized page.

In other words it's a somewhat less spoofable, less blockable referer 
header. That's actually the clearest definition I've heard yet. Thanks.

It may be reasonable to have both, especially if you believe it is 
possible to trick some people into POSTing. (That's probably the case.) 
However nonces are not a full solution either. They have failed to 
protect WordPress from some of the vulnerabilities uncovered in the last 
few months. They do nothing to  avoid the problem of a web accelerator 
prefetching links, and they may  be stealable from code that sneaks 
inside the admin interface.

The bottom line is that unsafe operations should not be done without 
user involvement. the way in which browsers determine what is and is not 
safe is by seeing whether it's submitted with GET or POST. Browsers and 
other tools are entitled to assume that all GET operations are safe. 
When a system violates these assumptions, serious problems ensue. These 
problems are mitigated in part only because some tools sometimes take 
extra steps to work around broken, non-conformant servers like 
WordPress. However those workarounds are fragile. They will and do fail.

Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!

More information about the wp-hackers mailing list