Nonces and Cache

I know this question is ancient, but no, it’s not very secure.

Anyone with knowledge of the AJAX endpoint would be able to generate valid nonces, which defeats the purpose in the first place.

That being said, nonces are a low level defence in the first place: they only stop the simplest of attacks. A clever attacker would have crawled your homepage to begin with, and gobbled up all the nonces (which has a default lifespan of 24 hours these days), and then just use that nonce for the attack. Your AJAX endpoint simply makes that task slightly easier.

EDIT

As Janh pointed out, as long as nonces are user specific, meaning a nonce will only work for a specific user, if so, an ajax generated nonce should be fine. You will probably need to send a bit more information via the AJAX endpoint though, so the returned nonce is tied to the correct user.

Related Posts:

  1. Should wordpress nonce be placed in html form or in javascript file
  2. Is it safe to assume that a nonce may be validated more than once?
  3. Multiple ajax nonce requests
  4. Nonces, AJAX, script variables & security in WordPress
  5. How do I check if AJAX nonces are implemented correctly?
  6. WP Admin AJAX Security – using POST to include a relative URL
  7. ajax nonce verification failing
  8. Cache plugins and ajax nonce verification
  9. Why does check_ajax_referer give a 403 error on https websites?
  10. Using nonce when loading posts with AJAX
  11. Ajax Security regarding user priviliges and nonces
  12. How to stop a nonce from being cached in an inline script, or alternatives to regenerate it if expired?
  13. nonce_user_logged_out to assign guests unique nonces breaks ajax calls
  14. jQuery’s .on() method combined with the submit event
  15. How to get a unique nonce for each Ajax request?
  16. WordPress Ajax Data Security
  17. Nonces can be reused multiple times? Bug / Security issue?
  18. Is wp_nonce_field vulnerable if you know the action name?
  19. How to HTML5 FormData Ajax
  20. admin-ajax.php doesn’t work when using POST data and Axios
  21. Contact Form 7 Custom Post Action
  22. Custom Form with Ajax
  23. ajax – why multiple calls to wp_create_nonce() return same value?
  24. Using Nonces for AJAX that only retrieves data
  25. AJAX vs Fragment Caching for W3 Total Cache [closed]
  26. How to verify nonce from Bulk/Quick Edit in save_post?
  27. How to link WordPress heartbeat to ajax form
  28. How to add WordPress nonces to ajax request
  29. Ajax form submission from admin panel
  30. Security – Ajax and Nonce use [closed]
  31. Nonces and Ajax request to REST API and verification
  32. Ajax function returns -1
  33. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  34. wp_verify_nonce always returns false when logged in as admin
  35. Confused on AJAX submit form through page template
  36. ajax and nonce when JavaScript is in a seperate file
  37. how to use reCaptcha v3 in wordpress custom login form?
  38. When is it useful to use wp_verify_nonce
  39. wp_verify_nonce doesn’t return true on server when it matches the nonce
  40. Nonce actions and names available via open source
  41. AJAX requests broken due to HTTPS for wp-admin
  42. Why does WordPress Heartbeat login not refresh the nonces?
  43. Prevent page reload after ajax form submission
  44. wp-admin AJAX with Fetch API is done without user
  45. submitting form via admin-ajax.php returns 0
  46. Admin Ajax and HTML5 Formdata
  47. How to check an ajax nonce in PHP
  48. Can a wp_nonce created from domain 1 to be verified on domain 2?
  49. jQuery Ajax passing empty parameters to my function?
  50. Is it safe to manually sign a user in using AJAX?
  51. Using ajax with wordpress
  52. Using AJAX with Forms
  53. how to send Ajax request in wordpress backend
  54. Identical wp_rest nonce returned from rest_api
  55. wp_create_nonce() in REST API makes user->ID zero
  56. Ajax image upload with media_handle_upload and form.js
  57. wp_create_nonce function doesn’t work inside a plugin?
  58. Caching-Plugins and Ajax-Page-Parts
  59. SSO autologin WordPress + Ajax
  60. Ajax post returning full html page as response
  61. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  62. Sending variable from ajax on form submit
  63. contact form ajax empty response error message
  64. Cache wp-json/posts without a plugin?
  65. Nonce fails on ajax save
  66. Can’t trigger an AJAX function with a submit button in the dashboard
  67. Dynamically add more fields/remove last field in a form
  68. Ajaxify Form That Submits To Same Page To Display Post Data [closed]
  69. Is it secure to use admin-ajax.php in front?
  70. Unable to successfully verify nonce
  71. Nonce doesn’t validate in nopriv call
  72. Should I use wp_nonce_field on my contact form?
  73. Using admin-ajax prevents regular php form submission
  74. Specify ABSPATH in jQuery url
  75. WordPress is creating nonce as a logged in user but verifying it incorrectly
  76. ajax form is returning the dreaded “[HTTP/1.1 400 Bad Request” and a zero
  77. javascript ajax and nonce
  78. How to check nonce lifetime value of plugins?
  79. Output multi-steps form results in same page
  80. Using get_theme_mod in php ajax form doesn’t work
  81. How to create a form button that executes a function?
  82. How to stop being directed to admin.php after sending request to admin-ajax.php
  83. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  84. Custom RPC end-point security best pratice?
  85. How to display contact form 7 form in vanilla js without jquery in frontend
  86. Prevent AJAX caching from plugin
  87. Add Server Side validation in Ajax mail form
  88. How to send automatic response after form submission without plugin
  89. How to prevent my external API call from being called by anyone but me (my site)
  90. Opening Modal popup on Ajax form submission
  91. WordPress wp_localize_script nonce and ajax URL
  92. Why are the most recent posts not appearing in a fetch request, unless I’m logged in?
  93. WordPress REST API FormData: Form Not Submitted When No Files Attached
  94. How to make Contact Form 7 work when injected via AJAX in WordPress?
  95. How do i set up ajax nonce
  96. admin-ajax.php won’t load without logging as admin- JSON Parse error: Unexpected EOF
  97. How does the security of admin_ajax.php work?
  98. Catch Form value at AJAX Form submit
  99. Nonce verification problem when logging in after a logout
  100. Is there a solution to expired nonces in forms when using full page caching that doesn’t involve configuring the cache?

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)