WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Request Forgery Security (5 posts)

  1. aberglas
    Member
    Posted 1 year ago #

    I could not see any protection against
    http://en.wikipedia.org/wiki/Cross-site_request_forgery

    It is not hard, every submitted form needs to have a hidden secret field which is then checked. But without it WordPress is completely open to this.

    (I could add it, but it needs to go into the core. Tested on every form.)

  2. esmi
    Forum Moderator
    Posted 1 year ago #

  3. aberglas
    Member
    Posted 1 year ago #

    Thanks. I have not seen that used on any examples I have come across. I'd be happier if wp_verify_nonce was called by wp itself for Every post, and plugins that do not submit it simply fail to run.

    Anthony

  4. bcworkz
    Member
    Posted 1 year ago #

    What forms don't have nonces? I've not noticed any, not that I've searched too hard. WP cannot arbitrarily check all nonces because it needs to know the string used to create the nonce in the first place to verify it. Any plugin posting to WP pages will need to replicate the nonces expected or it will fail. Plugins that submit to their own pages are beyond the control of WP core and are the responsibility of the plugin author.

    If there were a XSS vulnerability, hackers would have more than likely found it by now and exploited it. They are certainly trying to find one, trust me.

  5. aberglas
    Member
    Posted 1 year ago #

    To develop for WordPress, I did what everyone else does and Googled examples. None of them had this, which is an issue as it encourages insecure style.

    I think that an update to WP that simply rejected all posts that do not have a _wpnonce would not be a bad thing.

    As to the nonced value, I'm not sure how much additional security is added by using more than just the user name (+salt) as the nonce hash. If an attacker could already log in as the user to obtain the nonce then the game is over anyway. The trade off being that using a standard nonce means that WP can always check its value automatically.

    On annoyance is that wp_nonce_field adds the ever growing request field by default. Is it protected by the nonce? Not clear how to utilize it, I just turned it off.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.