Nonces and Cache

I know this question is ancient, but no, it’s not very secure.

Anyone with knowledge of the AJAX endpoint would be able to generate valid nonces, which defeats the purpose in the first place.

That being said, nonces are a low level defence in the first place: they only stop the simplest of attacks. A clever attacker would have crawled your homepage to begin with, and gobbled up all the nonces (which has a default lifespan of 24 hours these days), and then just use that nonce for the attack. Your AJAX endpoint simply makes that task slightly easier.

EDIT

As Janh pointed out, as long as nonces are user specific, meaning a nonce will only work for a specific user, if so, an ajax generated nonce should be fine. You will probably need to send a bit more information via the AJAX endpoint though, so the returned nonce is tied to the correct user.

Related Posts:

  1. Should wordpress nonce be placed in html form or in javascript file
  2. Is it safe to assume that a nonce may be validated more than once?
  3. Multiple ajax nonce requests
  4. Nonces, AJAX, script variables & security in WordPress
  5. How do I check if AJAX nonces are implemented correctly?
  6. WP Admin AJAX Security – using POST to include a relative URL
  7. ajax nonce verification failing
  8. Cache plugins and ajax nonce verification
  9. Why does check_ajax_referer give a 403 error on https websites?
  10. Using nonce when loading posts with AJAX
  11. Ajax Security regarding user priviliges and nonces
  12. jQuery’s .on() method combined with the submit event
  13. How to get a unique nonce for each Ajax request?
  14. WordPress Ajax Data Security
  15. Nonces can be reused multiple times? Bug / Security issue?
  16. Is wp_nonce_field vulnerable if you know the action name?
  17. How to HTML5 FormData Ajax
  18. admin-ajax.php doesn’t work when using POST data and Axios
  19. Contact Form 7 Custom Post Action
  20. Custom Form with Ajax
  21. ajax – why multiple calls to wp_create_nonce() return same value?
  22. AJAX vs Fragment Caching for W3 Total Cache [closed]
  23. How to link WordPress heartbeat to ajax form
  24. How to add WordPress nonces to ajax request
  25. Ajax form submission from admin panel
  26. Security – Ajax and Nonce use [closed]
  27. Nonces and Ajax request to REST API and verification
  28. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  29. wp_verify_nonce always returns false when logged in as admin
  30. Confused on AJAX submit form through page template
  31. ajax and nonce when JavaScript is in a seperate file
  32. how to use reCaptcha v3 in wordpress custom login form?
  33. When is it useful to use wp_verify_nonce
  34. wp_verify_nonce doesn’t return true on server when it matches the nonce
  35. Nonce actions and names available via open source
  36. Why does WordPress Heartbeat login not refresh the nonces?
  37. Prevent page reload after ajax form submission
  38. wp-admin AJAX with Fetch API is done without user
  39. submitting form via admin-ajax.php returns 0
  40. Admin Ajax and HTML5 Formdata
  41. Can a wp_nonce created from domain 1 to be verified on domain 2?
  42. jQuery Ajax passing empty parameters to my function?
  43. Is it safe to manually sign a user in using AJAX?
  44. Using ajax with wordpress
  45. Using AJAX with Forms
  46. Identical wp_rest nonce returned from rest_api
  47. Ajax image upload with media_handle_upload and form.js
  48. wp_create_nonce function doesn’t work inside a plugin?
  49. Caching-Plugins and Ajax-Page-Parts
  50. SSO autologin WordPress + Ajax
  51. Ajax post returning full html page as response
  52. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  53. Sending variable from ajax on form submit
  54. contact form ajax empty response error message
  55. Cache wp-json/posts without a plugin?
  56. Nonce fails on ajax save
  57. Can’t trigger an AJAX function with a submit button in the dashboard
  58. Dynamically add more fields/remove last field in a form
  59. Is it secure to use admin-ajax.php in front?
  60. Unable to successfully verify nonce
  61. Using admin-ajax prevents regular php form submission
  62. Specify ABSPATH in jQuery url
  63. ajax form is returning the dreaded “[HTTP/1.1 400 Bad Request” and a zero
  64. javascript ajax and nonce
  65. How to check nonce lifetime value of plugins?
  66. Output multi-steps form results in same page
  67. Using get_theme_mod in php ajax form doesn’t work
  68. How to create a form button that executes a function?
  69. How to stop being directed to admin.php after sending request to admin-ajax.php
  70. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  71. Custom RPC end-point security best pratice?
  72. How to display contact form 7 form in vanilla js without jquery in frontend
  73. Prevent AJAX caching from plugin
  74. Add Server Side validation in Ajax mail form
  75. How to send automatic response after form submission without plugin
  76. How to prevent my external API call from being called by anyone but me (my site)
  77. Opening Modal popup on Ajax form submission
  78. wp_verify_nonce not working on the mobile device
  79. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  80. admin-ajax.php 403 errors – no caching, permissions are fine
  81. whether a nonce is required for get type and get_query_var?
  82. check_ajax_reffer not working when logged
  83. Registration form AJAX check for existing username (simple version)
  84. Issue developing an AJAX form with WordPress
  85. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  86. Ajax show custom post data form & script
  87. AJAX form not working, still reloads on submit
  88. CSRF attack to create USER
  89. Using AJAX on Contact-form the WordPress way
  90. Error while submitting form using AJAX and php
  91. Ajax contact form returnig 0
  92. How to use nonces for frontend AJAX voting if the page gets cached?
  93. Ajax Form data is not posted back to the get_results()
  94. Using AJAX for dynamic settings pages
  95. Manually cache a special, non-WP-but-using-WP page (e.g. Ajax results) with W3TC
  96. Ajax Form seems to post, but does not return
  97. Caching for logged in user and Ajax update
  98. Bad Request when adding new post via ajax form
  99. WordPress wp_localize_script nonce and ajax URL
  100. Why are the most recent posts not appearing in a fetch request, unless I’m logged in?

Leave a Comment