http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces Web 2.0, Marketing, Analytics, WordPress SEO Sat, 21 Nov 2009 07:43:51 -0600 hourly 1 http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-16894 Vladimir http://www.prelovac.com/vladimir/?p=803#comment-16894 How do you propose the hacker would hijack a session that uses nonces? How do you propose the hacker would hijack a session that uses nonces?

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-16886 Brenton http://www.prelovac.com/vladimir/?p=803#comment-16886 I've implemented nonces for the Admin pages of my plugin, but after thinking about this for a while I'm of the opinion that its really not an adequate solution. Specifically, there are two short comings with this whole approach: 1. Its NOT a number used once. Its a number that can be used as many times as you want in 24 hours. Does this make a difference? Yes! The whole problem thats trying to be solved is someone hijacking a session (originally, this was just the cookie, but now its the nonce as well). A 24hr window of opportunity is ridiculous. A competent hacker would need about 2minutes in your Wordpress installation (if they were organized) to setup a back door: probably less if they had rehearsed it. Hence my biggest gripe with this types of solutions: a false sense of security. Nonces only marginally increase your protection, but if you read the way people rave about this principle you would think that all threats have been eliminated. 2. Its intrusive. Its a royal pain in the a$$ to mutilate your URLs with this stuff - and even worse when it doesn't provide effective security. At least cookies are transparent to URLs! I can't count the number of times clients of mine have said "our theme doesn't use widgets so we want to embed your plugin-generated URLs directly in our theme". Sounds like a reasonable request. But wait! I need to tell them that those URLs contains nonces and hence you need to fetch them a-new everytime you want to display them. In effect, they're dynamic URLs. That requires them to write PHP code; and over 50% of my clients aren't PHP programmers. My point is that this approach takes away some existing flexibility but doesn't really improve the security of the system in return. Now that I've got that out, I'm going to propose an alternative, just so I won't be accused of being a whiner. Go back to the threat and work within the existing constraints. The threat is session hijacking. Existing constraints are static URLs. Proposals: 1. augment session authentication (i.e. cookies) with IP address filtering. Have Wordpress not only require a valid cookie but a cookie that came from the same IP address it was issued to and was received from. I know IP addresses can be spoofed but nonce sessions can be spoofed too with far greater ease. At least with this approach you don't have to mangle your URLs. 2. Update the cookie value on every request. Although this sounds good in theory, in practice it would probably cause a lot of false-positive lock-outs which would require the user to log back in again. And fundamentally, it actually doesn't resolve the problem: its just reduces the window of opportunity to an incredibly short time. If a hacker were fast enough (i.e. submitted the next page as you before you did) then they would be let in and you would be locked out. As you can see, it appears that there might not be an effective solution at this level. It may simply be that Wordpress does the best it can (using cookies and source IP address) and leave it up to other technologies to provide a comprehensive security solution: e.g. SSL to stop anyone else from eavesdropping on the data sent back and forth. Perhaps even having Wordpress run its admin functions on a restricted IP port which requires SSL client side authentication to establish the HTTPS connection. At some point you need to ask yourself, what is the value of the website (asset) I'm protecting? what is the likely investment a typical hacker will make to gain control of that asset?, and is my security system's cost inline with these values? I've implemented nonces for the Admin pages of my plugin, but after thinking about this for a while I'm of the opinion that its really not an adequate solution. Specifically, there are two short comings with this whole approach:
1. Its NOT a number used once. Its a number that can be used as many times as you want in 24 hours. Does this make a difference? Yes! The whole problem thats trying to be solved is someone hijacking a session (originally, this was just the cookie, but now its the nonce as well). A 24hr window of opportunity is ridiculous. A competent hacker would need about 2minutes in your Wordpress installation (if they were organized) to setup a back door: probably less if they had rehearsed it. Hence my biggest gripe with this types of solutions: a false sense of security. Nonces only marginally increase your protection, but if you read the way people rave about this principle you would think that all threats have been eliminated.
2. Its intrusive. Its a royal pain in the a$$ to mutilate your URLs with this stuff - and even worse when it doesn't provide effective security. At least cookies are transparent to URLs! I can't count the number of times clients of mine have said "our theme doesn't use widgets so we want to embed your plugin-generated URLs directly in our theme". Sounds like a reasonable request. But wait! I need to tell them that those URLs contains nonces and hence you need to fetch them a-new everytime you want to display them. In effect, they're dynamic URLs. That requires them to write PHP code; and over 50% of my clients aren't PHP programmers. My point is that this approach takes away some existing flexibility but doesn't really improve the security of the system in return.
Now that I've got that out, I'm going to propose an alternative, just so I won't be accused of being a whiner.
Go back to the threat and work within the existing constraints.
The threat is session hijacking. Existing constraints are static URLs. Proposals:
1. augment session authentication (i.e. cookies) with IP address filtering. Have Wordpress not only require a valid cookie but a cookie that came from the same IP address it was issued to and was received from. I know IP addresses can be spoofed but nonce sessions can be spoofed too with far greater ease. At least with this approach you don't have to mangle your URLs.
2. Update the cookie value on every request. Although this sounds good in theory, in practice it would probably cause a lot of false-positive lock-outs which would require the user to log back in again. And fundamentally, it actually doesn't resolve the problem: its just reduces the window of opportunity to an incredibly short time. If a hacker were fast enough (i.e. submitted the next page as you before you did) then they would be let in and you would be locked out.
As you can see, it appears that there might not be an effective solution at this level. It may simply be that Wordpress does the best it can (using cookies and source IP address) and leave it up to other technologies to provide a comprehensive security solution: e.g. SSL to stop anyone else from eavesdropping on the data sent back and forth. Perhaps even having Wordpress run its admin functions on a restricted IP port which requires SSL client side authentication to establish the HTTPS connection. At some point you need to ask yourself, what is the value of the website (asset) I'm protecting? what is the likely investment a typical hacker will make to gain control of that asset?, and is my security system's cost inline with these values?

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-16725 Old WordPress Versions Under Attack | WordpressWizard http://www.prelovac.com/vladimir/?p=803#comment-16725 [...] Vladimir Prelovac – Improving security in WordPress Plugins using Nonces [...] [...] Vladimir Prelovac – Improving security in WordPress Plugins using Nonces [...]

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-16307 Vladimir http://www.prelovac.com/vladimir/?p=803#comment-16307 Well luckily it wasn't me who came up with the expression :) Well luckily it wasn't me who came up with the expression :)

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-16276 Tom http://www.prelovac.com/vladimir/?p=803#comment-16276 Someone had to point out that for us UK readers "nonce" is an extremely widely used and understood slang for a paedophile, which makes virtually every statement above extremely "humorous". Sorry to be childish, but I assure you it's true. http://www.google.es/search?hl=en&rlz=1B3GGGL_en-GBES329ES329&q=nonce+uk&btnG=Search Someone had to point out that for us UK readers "nonce" is an extremely widely used and understood slang for a paedophile, which makes virtually every statement above extremely "humorous". Sorry to be childish, but I assure you it's true. http://www.google.es/search?hl=en&rlz=1B3GGGL_en-GBES329ES329&q=nonce+uk&btnG=Search

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-15165 Oude WordPress installaties worden aangevallen : WordPress Dimensie http://www.prelovac.com/vladimir/?p=803#comment-15165 [...] Vladimir Prelovac – Improving security in WordPress Plugins using Nonces [...] [...] Vladimir Prelovac – Improving security in WordPress Plugins using Nonces [...]

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-14138 Hangman http://www.prelovac.com/vladimir/?p=803#comment-14138 Thanks a lot for this! Thanks a lot for this!

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-13976 Lukas http://www.prelovac.com/vladimir/?p=803#comment-13976 Exactly what I was looking for! Thanks. Exactly what I was looking for! Thanks.

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-13902 iamduyu http://www.prelovac.com/vladimir/?p=803#comment-13902 thanks, it's just what i'm looking for. thanks, it's just what i'm looking for.

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-11076 Naomi http://www.prelovac.com/vladimir/?p=803#comment-11076 Does this still reign true for Wordpress 2.7 and above? Does this still reign true for Wordpress 2.7 and above?

]]> http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces/comment-page-1#comment-10694 Firewalling and Hack Proofing Your WordPress Blog « Lorelle on WordPress http://www.prelovac.com/vladimir/?p=803#comment-10694 [...] Vladimir Prelovac - Improving security in WordPress Plugins using Nonces [...] [...] Vladimir Prelovac - Improving security in WordPress Plugins using Nonces [...]

]]>