[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Robert Deaton false.hopes at gmail.com
Sat Mar 3 16:04:40 GMT 2007

On 3/3/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Mark Jaquith wrote:
> > This comes up again and again.  POST does not protect against CSRF.
> > POST cannot constitute verification of intention because people can
> > force you to POST (JavaScript)
> No, I don't think they can, at least not with authentication cookies
> intact and the default security level in the browser. If this is wrong,
> then it's a browser bug that needs to be reported and fixed.

Yes, they can, and it was already pointed out earlier on this thread.
It works across sites, cookies are sent along with the POST, and it
works with or without human intervention (without is considerably
harder, but is quite possible, especially targetting the IE crowd).
However, tricking you is nothing more than tricking you to click a
link on another site. A clever commenter could include a link to an
article of relevance on his own site, in which a link appears to be a
link to further information in context but actually submits a form
back to your own site.

> > or trick you into POSTing.
> I don't think they can trick me into POSTing. Possibly they can trick
> some people. However I am worried that they can trick or force me to
> GET. It's much easier to sneak a GET into the WP admin area than a POST.
>   Pingbacks, links in comments, probably a few other things can all put
> GETtable links in front of me that look normal.

Easier, yes, but the fact remains that switching to POST does not make
it impossible and so why waste our time switching it for that purpose.

> > Nonces exist
> > to protect against CSRF, against unintentional authorized actions.  They
> > verify intention, because they pass along a piece of information that
> > you'd only have if you were making the request from an authorized page.
> In other words it's a somewhat less spoofable, less blockable referer
> header. That's actually the clearest definition I've heard yet. Thanks.
> It may be reasonable to have both, especially if you believe it is
> possible to trick some people into POSTing. (That's probably the case.)
> However nonces are not a full solution either. They have failed to
> protect WordPress from some of the vulnerabilities uncovered in the last
> few months.

I wish you would do like I asked before and actually go look at the
vulnerabilities. The only admin XSS related vulnerabilities we've had
are (a) a lack of nonces where they should be. This isn't a flaw in
nonces, its our fault for not auditing the admin area completely. (b)
The recent XSS which is actually a flaw in the nonce confirmation
dialog, not with nonces.

With the most recent vulnerability fixed in 2.1.1, you should not see
these problems again. The nonce system works exactly the way it was
intended to work.

> The bottom line is that unsafe operations should not be done without
> user involvement. the way in which browsers determine what is and is not
> safe is by seeing whether it's submitted with GET or POST. Browsers and
> other tools are entitled to assume that all GET operations are safe.
> When a system violates these assumptions, serious problems ensue. These
> problems are mitigated in part only because some tools sometimes take
> extra steps to work around broken, non-conformant servers like
> WordPress. However those workarounds are fragile. They will and do fail.

The only issue of this sort that has occured in recent history is the
short period of time that GWA prefetched links like this, however, the
decision was reversed due to thousands of other pieces of software
having issues with these links being prefetched.

There comes a point where widespread acceptance of something, whether
it be for or against standards, is so widespread that these arguments
no longer work. This kind of stuff is everywhere, and just like old
broken non-compliant HTML, its not going anywhere, ever.

Regardless of any of this, the fact remains that, POST provides no
necessary benefit to security. It makes it a fraction harder, however,
anybody with the intent to get around the limitations of POST will do
so. Nonces are here to stay, and I really think that if you want to
switch everything to POST buttons, it needs to be done in another
thread and security left out of the arguments for it.

--Robert Deaton

More information about the wp-hackers mailing list