[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Timo Kissing timo.kissing+wordpress at gmail.com
Sun Mar 4 00:25:38 GMT 2007


On 3/3/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> Timo Kissing wrote:
>
> > Go to http://believe.ranta.info/
> > Type in some text, submit
> > Go to http://believe.blogpara.de/
> > Type in some text, submit
> > Go back to the first page.
> > See the text you typed on the second one there too.
> >
> > Read the sources at http://believe.ranta.info/ and
> > http://believe.blogpara.de/index.phps
> >
>
> 1. This requires user action. It doesn't happen automatically.

The only reason it requires action is because I was lazy and basically
copied one file to 2 locations and added something. The JS that
submits the second form is fired when you submit the form. I could
just as easy fire it on page load or on mouseover (for any element).

> 2. There don't seem to be user authentication cookies involved.

There are session cookies involved. Your browser doesnt know
"authentication cookies" anyhow. A cookie is a cookie is a cookie. All
your browser knows is a) the content (remember, to KNOW is not TO
UNDERSTAND), where it is allowed to send it (which is where it came
from) and when the cookie expires. Your browser does not care if it
contains login information, a random string or an actual cookie
recipe.

> 3. It didn't actually work. The text I typed on the 2nd page was not
> echoed back on the first, even after I reloaded it.

Which browser did you test it with? It works fine here in IE7 and FF2.
Did you have JS and Cookies enabled? And you did use the same browser
for both pages, right?

> Maybe it works in some browsers and not others?

If it does not work in some browsers now I am pretty sure that's
because I coded it in ~ 10 minutes.
The basic principle is the same in every browser. JS is allowed to
manipulate the DOM and call functions on DOM nodes. FORM nodes have a
submit() function and a target attribute, so with JS you can create
forms with as many inputs as you want and with every values you want
and you can submit them. As well you can create hidden iframes and
make your form submit into such an iframe. Since there are several
events that you can hook into you can do so (for example) on page
load, when the user types something into an input, when he points the
mouse at an element, when he clicks something and on some more events.
I am using JavaScript every day at work, I know what I am talking about.

As has been stated before: POST is not more or less secure than GET
when it comes to CSRF.

Greetings,
Timo.


More information about the wp-hackers mailing list