I’ve been meaning to write about the introduction of nonces into WordPress for some time. At last I’ve waited long enough for someone else to do it for me. Owen gives us the skinny on nonces. The primary advantage of nonces and the reason we introduced them is that they allow us to eliminate the requirement that sending referrers be enabled. More and more people were being tripped up by the sending referrers requirement.
Nonce
Published by Ryan Boren
#ActuallyAutistic retired technologist turned wannabe-sociologist. Equity literate education, respectfully connected parenting, passion-based learning, indie ed-tech, neurodiversity, social model of disability, design for real life, inclusion, open web, open source. he/they View all posts by Ryan Boren
Published
Mark Jaquith also has a nice description of WordPress nonces including how to write plugins to take advantage of them.
Of course the dangers mentioned by Owen would be a total non-issue if WP would send form data using the POST method, as nearly everyone in the security industry recommends.
POST must be nonced too. Read the thread Owen linked as well as the comments on his post.
Of course it does. My point is his exploit examples are mitigated by using the POST method. Tight security means implementing a handful of methods, nonced is one of them, using the POST method is another.
What is the advantage to using the POST method over the GET method in regard to security? If you look through the thread on wp-hackers, you’ll find the example pages I constructed to demonstrate the failure of POST to prevent the attack as described:
First “login” here – http://owenw.com/postget.php
Then “win some cash” at this other site: http://asymptomatic.net/temp/hack.htm
The attack requires that an admin be logged in first, which is why you have to login on the first page. The second page is on a different domain and uses the POST method to forge a delete request – and it works. Note that using POST does not prevent anything from being deleted – the attack examples are not mitigated by use of the POST method.
POST may be useful for preventing other types of attacks, but not this particular attack. POST is the recommended method for causing actions to happen on a site, but it’s not foolproof, hence the reason for the absurdly long thread on wp-hackers, and the resulting commit of the nonce implementation.
Using the POST method prevents simple links from deleting post. It also prevents the use of an image tag to delete a post, which is the worse, because a person doesn’t have to click on anything, they just have to visit the page.
In the end, I was referring to your example, which is a simple link in a comment, pointing to the admin page. You could of course put together a form using a link as the submit button, but that’s not the impression I got from your example.
I bet nobody knew in developing these and coming up with the term that in the UK if you call someone a ‘nonce’ you’re calling them a paedophile. Not to be confused with ‘nancy’ which is a derogatory term used to denigrate gay men.
Thus endeth the short wiki on the term.
A bit unfortunate, really. The idea of introducing nonces into WordPress could be quite shocking for some to read at first but I doubt the term can ever be reappropriated here in the UK to describe something essentially benign and technical. Then, you never know…
Whatever you call them, the fact that ‘enable sending referrers’ is no longer the bane of my life is cause for celebration!