How do I check if AJAX nonces are implemented correctly?

Your code is incorrect in some subtle ways but to get why we first need to get back to what is a nonce in wordpress and what does it protect against.

A Nonce by the common definition is a number used only once and it is meant to fight replay attacks. In a replay attack you just replay a transaction (http request) without understanding its component to redo a user action. simple example where it can lead to bad situation is if someone could replay your shopping orders and cause you to order more of the same thing without you being involved. Typical situation you use someone else’s network (not sure if SSL helps or not here).

It was also discovered that nonce are a good way to avoid CSRF attacks as it is hard to predict the URL/parameters the attacker should use.

In wordpress the order of importance is reversed, the first priority is to fight CSRF attacks and fighting replay attacks have just a secondary importance. This leads into wordpress nonces being a “unique per day” number instead of the classical “one time” number.

so how does wordpress uses nonces to protect agaunst CSRF? it generates a nonce based on the context. You can see in the wp_create_nonce code

function wp_create_nonce($action = -1) {
    $user = wp_get_current_user();
    $uid = (int) $user->ID;
    if ( ! $uid ) {
        /** This filter is documented in wp-includes/pluggable.php */
        $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
    }

    $token = wp_get_session_token();
    $i = wp_nonce_tick();

    return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
}

That the context is the action name, the user id, and the current login session and this ensures that a different nonce will be generated for different actions, different users and even different sessions of the same user, therefor even if someone knows the nonce used for to do an action (lets say, delete a post) when doing it with his own user, he will not be able to trick you into deleting a post by constructing special URL with the same nonce.

And here is your fist mistake (which many do), which is trying to apply nonces to non logged in users. Without a user context whole of the nonce is derived just from the action, and an “attacker” can just share the same url to be used by non logged in users (or by a bot).

How to test that your code works correctly in preventing CSRF? if it is a simple URL, try to resend it when logged in as another user. It is easier to do with requests in which the url itself contains the nonce, but probably can be done with browser developer tools (change authentication cookies and re-send) or curl/wget.

The other part in which you code is lacking is a protection against a sort of a replay attack. Assuming I know that you liked post X, can I re transmit the request and cause it to be seen like you liked also post Y? Right now all I need to do is just change th post_id parameter of the request.

The way to protect against this kind of attacks is by having the action part of the nonce be dynamic and include in some way the important parameters, in your case the post id. Core usually uses actions of the kind delete-post-{post_id} which ensures that there will be a different nonce generated for different posts.

How to test? Using the browser developer tools, change the post id parameter to ensure the same nonce can not be used to favorite a different posts.

For phpunit type of testing you will probably want to write your own nonce generator that wraps the wordpress core nonce functions and check they do not give the same nonce for different users, different sessions, different actions, and different key request parameters.

Related Posts:

  1. Nonces and Cache
  2. Is it safe to assume that a nonce may be validated more than once?
  3. Multiple ajax nonce requests
  4. Nonces, AJAX, script variables & security in WordPress
  5. WP Admin AJAX Security – using POST to include a relative URL
  6. ajax nonce verification failing
  7. Why does check_ajax_referer give a 403 error on https websites?
  8. Using nonce when loading posts with AJAX
  9. Should wordpress nonce be placed in html form or in javascript file
  10. Ajax Security regarding user priviliges and nonces
  11. How to get a unique nonce for each Ajax request?
  12. WordPress Ajax Data Security
  13. Nonces can be reused multiple times? Bug / Security issue?
  14. How do I hook an Ajax request into a PHP callback?
  15. Using Nonces for AJAX that only retrieves data
  16. How to verify nonce from Bulk/Quick Edit in save_post?
  17. How to add WordPress nonces to ajax request
  18. Security – Ajax and Nonce use [closed]
  19. Nonces and Ajax request to REST API and verification
  20. Ajax function returns -1
  21. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  22. wp_verify_nonce always returns false when logged in as admin
  23. ajax and nonce when JavaScript is in a seperate file
  24. How to use wp_send_json_error?
  25. wp_verify_nonce doesn’t return true on server when it matches the nonce
  26. AJAX requests broken due to HTTPS for wp-admin
  27. Why does WordPress Heartbeat login not refresh the nonces?
  28. wp-admin AJAX with Fetch API is done without user
  29. How to check an ajax nonce in PHP
  30. Can a wp_nonce created from domain 1 to be verified on domain 2?
  31. Is it safe to manually sign a user in using AJAX?
  32. how to send Ajax request in wordpress backend
  33. Identical wp_rest nonce returned from rest_api
  34. How to insert a record by clicking on the link using AJAX
  35. wp_create_nonce() in REST API makes user->ID zero
  36. SSO autologin WordPress + Ajax
  37. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  38. Nonce fails on ajax save
  39. Admin ajax add tag callback
  40. Is it secure to use admin-ajax.php in front?
  41. Unable to successfully verify nonce
  42. Cache plugins and ajax nonce verification
  43. Nonce doesn’t validate in nopriv call
  44. Ajax insert or update data
  45. WordPress is creating nonce as a logged in user but verifying it incorrectly
  46. javascript ajax and nonce
  47. How to check nonce lifetime value of plugins?
  48. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  49. Custom RPC end-point security best pratice?
  50. How to prevent my external API call from being called by anyone but me (my site)
  51. wp_verify_nonce not working on the mobile device
  52. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  53. check_ajax_reffer not working when logged
  54. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  55. AJAX form not working, still reloads on submit
  56. How to use nonces for frontend AJAX voting if the page gets cached?
  57. Can I make an ajax response cross-domain?
  58. Using Javascript Callback from plugin in a theme
  59. WordPress wp_localize_script nonce and ajax URL
  60. jQuery’s .on() method combined with the submit event
  61. Why is die() used at the end of function that handles an Ajax request?
  62. Making my AJAX powered WordPress Crawlable
  63. Why is a 500 error generated by admin-ajax.php not going into the Apache error log?
  64. Verify nonce in REST API?
  65. admin-ajax.php doesn’t work when using POST data and Axios
  66. Custom Form with Ajax
  67. How to process ajax requests correctly using ajax plugins
  68. Handling nonces for actions from guests to logged-in users
  69. Gutenberg – how to correctly perform ajax request on backend
  70. get_template_part execute with ajax
  71. Is there a way to optimize function that is used for returning data in an ajax-call?
  72. get_posts empty when called via Ajax
  73. WP-API and Basic Auth returning 403 on POST but not GET
  74. Is there a hook to process a backbone restful PUT request inside wordpress?
  75. Check if username exist with AJAX
  76. How to localized one js file for different actions?
  77. Force redirect not logged in user to (wp-login.php or wp-admin) for specific page
  78. WordPress Ajax Not Working ( Custom Admin page)
  79. Load JavaScript from a post that’s loading into Fancybox via ajax
  80. Gravity form Load By Ajax Cannot Submit – Error 400
  81. How get child posts in custom post type by ajax?
  82. How to implement secure frontend image upload? [closed]
  83. What is the best way to do MyAjax error and success handling?
  84. Gravity Forms closes my popup on Validation Error [closed]
  85. I can’t get a return value from Ajax
  86. WordPress AJAX return 0 – My case
  87. Ajax call in wordpress not working for subscriber user
  88. Ajax call in WordPress – unable to display the data on the page
  89. What WP-API authentication method should I use to interact with anonymous / not-logged visitors?
  90. How to call ajax in plugin file
  91. javascript onClick update user_meta from jquery.ajax
  92. How to ignore WP_ERROR caused by “get_the_excerpt” method in an AJAX call?
  93. WP_Query is not received in Ajax
  94. Updating Jquery object with newly created elements after AJAX call
  95. enqueue style using admin-ajax.php
  96. Update user meta via ajax from frontend, saving issue
  97. How to get the admin page slug using wp_loaded hook?
  98. Edit user meta on front-end via AJAX
  99. How to paginate Ajax result
  100. AJAX: admin-ajax.php is adding extra content to my script’s response – how to exclude header, footer, etc.?