Here are a few things you should look into.
- SSL Certificates
- CSRF Protection
Shane Reustle
2010-08-11 18:36:27
+2
A:
+1
A:
You are probably refereing to CSRF (Cross site request forgery). Chris Shiftlett wrote an article about it which explains the concept.
chelmertz
2010-08-11 18:37:14
A:
Ok, I have discovered that Wordpress offers it's own API for NONCES. What I do now is to add an input field in the form containg the NONCE; when user sends form to the server, the NONCE is validate back.
There's a little chance an attacker could gain access using NONCE contained in the form ** ONLY ** during the lap time occurring between NONCE issue/verify. Quite difficult though: the attacker should sniff data, grab the NONCE and use it immediately to load "something" in the database... What could it be loaded, assuming content is being stripslashed and de-javascripted?
Moreover, as WP NONCES are created using constants:
wp_create_nonce ('my-nonce');
this will require some additional tasks to use variable generated NONCES in such a way for the attacker it will be more difficult to track the pattern to generate the NONCE...
What do you think?
Riccardo
2010-08-11 21:17:12