WordPress.org

Support

Support » Plugins and Hacks » Hacks » [Resolved] Request Forgery Security

[Resolved] Request Forgery Security

Viewing 4 replies - 1 through 4 (of 4 total)
  • esmi
    Forum Moderator

    @esmi

    Thanks. I have not seen that used on any examples I have come across. I’d be happier if wp_verify_nonce was called by wp itself for Every post, and plugins that do not submit it simply fail to run.

    Anthony

    bcworkz
    Participant

    @bcworkz

    What forms don’t have nonces? I’ve not noticed any, not that I’ve searched too hard. WP cannot arbitrarily check all nonces because it needs to know the string used to create the nonce in the first place to verify it. Any plugin posting to WP pages will need to replicate the nonces expected or it will fail. Plugins that submit to their own pages are beyond the control of WP core and are the responsibility of the plugin author.

    If there were a XSS vulnerability, hackers would have more than likely found it by now and exploited it. They are certainly trying to find one, trust me.

    To develop for WordPress, I did what everyone else does and Googled examples. None of them had this, which is an issue as it encourages insecure style.

    I think that an update to WP that simply rejected all posts that do not have a _wpnonce would not be a bad thing.

    As to the nonced value, I’m not sure how much additional security is added by using more than just the user name (+salt) as the nonce hash. If an attacker could already log in as the user to obtain the nonce then the game is over anyway. The trade off being that using a standard nonce means that WP can always check its value automatically.

    On annoyance is that wp_nonce_field adds the ever growing request field by default. Is it protected by the nonce? Not clear how to utilize it, I just turned it off.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Resolved] Request Forgery Security’ is closed to new replies.