0

First some context.
I've been using nonce tokens to sign my form data in the same way wordpress allows to attach an action to a nonce:

// editing post id:10
$post_id = 10;
$nonce = create_nonce( 'edit-post-'.$post_id );
echo '<input type="hidden" name="post_id" value="'.$post_id.'">';
echo '<input type="hidden" name="nonce" value="'.$nonce.'">';

This allows me later to check if user is editing the post I gave him permissions to, because I reconstruct the nonce and check if the nonce that I recieve is the same I constructed:

$server_nonce = create_nonce( 'edit-post-'.$_POST['post_id'] );
if( $server_nonce != $_POST['nonce'] )
{
    echo 'bad guy...';
}

Up until now I misinterpreted this method as an anti-CSRF token that gave me CSRF protection.
As I deep in the CSRF issue I've found that this solution does not protect me 100% from CSRF because:

  1. The nonce can be reconstructed in server with the data received. CSRF must be not reconstructed.
  2. The nonce token will be the same for a form for a window time. CSRF must be unique at each request.

So, here's my question:

Is it ok to use two tokens in a form to protect from CSRF and data signature? Is there any way to combine these two tokens?

Pherrymason
  • 7,835
  • 8
  • 39
  • 57

1 Answers1

1

Generally, the nonce needs to be saved somewhere server-side. If you're regenerating the nonce when validating it, it means the nonce is a predictable value based on input. That is pretty useless, since that's a static value. It's not a nonce.

The way the nonce is supposed to work is:

  1. Construct the form
  2. Generate a random value, the nonce
  3. Save the nonce in the session and put it in a hidden field in the form
  4. Upon form submission, check that the submitted nonce corresponds to the one in the session

Anything else is just a checksum of the action+post-id, which is pretty useless.

You can easily extend this proper nonce procedure with a checksum of the to-be-submitted fields, by taking the name of all expected fields and other expected static values and adding a hash of them to the session as well. E.g.:

sha1(join(',', array('first_name', 'last_name', $nonce)))

Upon form submission, get all received field names and generate the same hash again and check if it's identical to the one in the session. If not, somebody tampered with the form.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • PS: I don't know Wordpress enough to tell you what the `create_nonce` function is supposed to do. – deceze Oct 24 '12 at 15:26
  • One of the problems of my Wordpress nonces is that they are static (they change every hour for the same input), hence my doubts about being enough CSRF-proof. I see that for proper protection I need some value that is in no way reproducible. But I still need to protect form someone changing the `id` of the resource (for example) and submiting the changes to that new `id` (even if the new `id` is of its property). – Pherrymason Oct 24 '12 at 15:38
  • For the problem of submitting the data to a different id, you need permission checks and data validation. I.e., if the user is allowed to edit an entry with a particular id and the data is valid for it, it really doesn't matter whether he properly went through the right form or "hacked it together". But, as described in my answer, even that can be caught using CSRF protection by adding a hash of **all static data** to the form and session. Static data in this case is all form element names and hidden/readonly data, including the entry id. – deceze Oct 24 '12 at 15:43
  • but that hash would be a **different** token? or the same `nonce` you described me? – Pherrymason Oct 24 '12 at 15:45
  • 1
    You only have to submit the final hash, which *includes* the nonce, with the form. You have to store the nonce on the server though to calculate the same hash from the submitted form data + nonce again. – deceze Oct 24 '12 at 16:32
  • ah! got it. 1: store nonce in session, send: hash + form data; 2: check if hash(server-nonce + form data) === received_hash – Pherrymason Oct 24 '12 at 16:35
  • I've found a solution here in stackoverflow that uses and approach similar to what I've been using, what "no-no"'s do you find in it? http://stackoverflow.com/a/2695291/111065 – Pherrymason Oct 27 '12 at 09:01
  • That's a great solution by a great author. I'd wholeheartedly recommend it. – deceze Oct 27 '12 at 11:59