{"id":1854,"date":"2020-08-14T17:47:59","date_gmt":"2020-08-14T10:47:59","guid":{"rendered":"https:\/\/wptips.dev\/?p=1854"},"modified":"2020-08-14T17:50:14","modified_gmt":"2020-08-14T10:50:14","slug":"what-is-wordpress-nonce-preventing-csrf-attack","status":"publish","type":"post","link":"https:\/\/pixelstudio.id\/blog\/what-is-wordpress-nonce-preventing-csrf-attack\/","title":{"rendered":"What is WordPress Nonce? (Preventing CSRF Attack)"},"content":{"rendered":"\n

Let’s say you installed a Forum plugin<\/strong> that can create a new thread, manage your profile, change password, etc.<\/p>\n\n\n\n

Then someone malicious came in and post a link that will trigger password change to “123456”. The link might say “Won $10.000” or something attractive so more people got tricked by it.<\/p>\n\n\n\n

Now that person have access to the victim’s account.<\/p>\n\n\n\n

This kind of attack is called CSRF<\/strong> (Cross Site Request Forgery) where a 3rd party sends a fake request. The damage can be devastating.<\/p>\n\n\n\n

Is the above scenario possible? Yes, unless the plugin author added a prevention measure using Nonce<\/strong>.<\/p>\n\n\n\n

What is Nonce?<\/h2>\n\n\n\n

Nonce is a randomly-generated string<\/strong> attached to a URL or Form to verify that an action is done by the user him\/herself.<\/p>\n\n\n\n

The string is one-time use and different for each user. That means it’s impossible to fake. If the nonce is not valid, we can reject the request.<\/p>\n\n\n\n

Here’s a diagram showing 2 requests, 1 from the user, and 1 from a hacker that got rejected:<\/p>\n\n\n\n

\"\"
Diagram showing how nonce works.
Hacker that posts fake data will be rejected because nonce is empty or not valid.<\/figcaption><\/figure>\n\n\n\n

Is My Website Vulnerable to CSRF?<\/h2>\n\n\n\n

First, identify which of your link or form could cause negative effect<\/strong> on your site. <\/p>\n\n\n\n

Something public like Contact Form is fine without nonce. What’s the worst thing that could happen anyway? Get spammed? Nonce won’t solve that.<\/p>\n\n\n\n

Found Potentially harmful Form?<\/strong><\/p>\n\n\n\n

For example, we have the Password Change form in WooCommerce account page.<\/p>\n\n\n\n

Open Web Inspector (F12) and check whether the form has a hidden field containing the nonce or not.<\/p>\n\n\n\n

\"\"
WooCommerce’s password change form has nonce field<\/figcaption><\/figure>\n\n\n\n

Yes, it has a nonce field. But to be sure, try removing that nonce field and submit the form.<\/p>\n\n\n\n

Does it still change the password? In the case of Woocommerce, it fails (which is the correct behavior).<\/p>\n\n\n\n

Found Potentially harmful Link?<\/strong><\/p>\n\n\n\n

For example, we have WooCommerce Marketplace plugin. Users can post and delete their own products.<\/p>\n\n\n\n

That delete button seems dangerous right?<\/p>\n\n\n\n

Open web inspector and check out the link. If it has a nonce then it’s safe:<\/p>\n\n\n\n

https:\/\/myshop.com\/delete-product\/1042?_wpnonce=75ad822113<\/code><\/pre>\n\n\n\n
But just to be sure, copy the link, and remove the nonce. So you have:<\/p>\n\n\n\n
https:\/\/myshop.com\/delete-product\/1042<\/code><\/pre>\n\n\n\n
Then paste it in a new tab. See if your product got deleted. If it’s deleted, your site is vulnerable to CSRF.<\/p>\n\n\n\n
How to Implement Nonce?<\/h2>\n\n\n\n
This is useful if you want to create your own form or plugin.<\/p>\n\n\n\n
GENERATE NONCE<\/strong><\/p>\n\n\n\n
There are 3 ways to generate a nonce:<\/p>\n\n\n\n