I’ve recently added jwt authentication to my website because frontend of my site is completely decoupled from backend.
What I haven’t thought of is that I could use wp_nonce instead of jwt - create nonce on backend, store it on frontend and send it with every request till it expires.
What drawbacks does wp nonce method have vs jwt method?
Also, nonces are used to secure wordpress from csrf for example. Is there any way to secure rest api from csrf, other than setting cors rules correctly (to allow only frontend domain?
I’ve recently added jwt authentication to my website because frontend of my site is completely decoupled from backend.
What I haven’t thought of is that I could use wp_nonce instead of jwt - create nonce on backend, store it on frontend and send it with every request till it expires.
What drawbacks does wp nonce method have vs jwt method?
Also, nonces are used to secure wordpress from csrf for example. Is there any way to secure rest api from csrf, other than setting cors rules correctly (to allow only frontend domain?
Share Improve this question asked Jan 28, 2021 at 9:41 user179669user179669 4 |1 Answer
Reset to default 0What I haven’t thought of is that I could use wp_nonce instead of jwt - create nonce on backend, store it on frontend and send it with every request till it expires.
What drawbacks does wp nonce method have vs jwt method?
Using nonces as a replacement for an authentication protocol, or as a session identifier would be insecure. A nonce is not an authentication or identifying token.
Using it as an authentication token is not going to work, or rather it will function but it will have incredibly weak security.
The purpose of a nonce is to prove that when a user takes an action, that they intended to take that action, that the request was deliberate. It is not proof that the user are who they said they are, and it provides no guarantees in relation to identity.
If they are used in authentication it is as a test to detect replay attacks and avoid a recorded login request being resent by an attacker, but they can't be used to verify and login a user.
TLDR: This is a bad idea, nonces cannot be used as authenticators. stick to a known good method that is well defined and battle hardened if you want security and safety.
And don't roll your own crypto
Lets test just how secure a WP nonce would be, at the time of writing, this is the implementation WP uses:
function wp_create_nonce( $action = -1 ) {
$user = wp_get_current_user();
$uid = (int) $user->ID;
if ( ! $uid ) {
/** This filter is documented in wp-includes/pluggable.php */
$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
}
$token = wp_get_session_token();
$i = wp_nonce_tick();
return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
}
In the proposed scheme, this would be simplified down to:
function wp_create_nonce( $action = -1 ) {
$i = wp_nonce_tick();
return substr( wp_hash( $i . '|' . $action . '||', 'nonce' ), -12, 10 );
}
So a user would need to know the action, the nonce tick, and the salt used by wp_hash. We will know the action, the nonce tick is a simple time calculation with some rounding, therefore we just need to bruteforce the salt.
We can do this by adjusting wp_create_nonce to use a version of wp_hash that cycles through every possible value for wp_salt. This will give us either the AUTH_SALT or SECURE_AUTH_SALT in wp-config.php.
From there on a chain of events occurs that allows us to impersonate anybody on your site. Mitigating this would involve the nonce_user_logged_out and devising a scheme to insert more user session based data, but this just delays the inevitable.
wp-*URLs to WordPress and everything else to Node or whatever is serving your SPA. – Tom J Nowell ♦ Commented Jan 28, 2021 at 12:40