wp_nonce vs jwt

What I haven’t thought of is that I could use wp_nonce instead of jwt – create nonce on backend, store it on frontend and send it with every request till it expires.

What drawbacks does wp nonce method have vs jwt method?

Using nonces as a replacement for an authentication protocol, or as a session identifier would be insecure. A nonce is not an authentication or identifying token.

Using it as an authentication token is not going to work, or rather it will function but it will have incredibly weak security.

The purpose of a nonce is to prove that when a user takes an action, that they intended to take that action, that the request was deliberate. It is not proof that the user are who they said they are, and it provides no guarantees in relation to identity.

If they are used in authentication it is as a test to detect replay attacks and avoid a recorded login request being resent by an attacker, but they can’t be used to verify and login a user.

TLDR: This is a bad idea, nonces cannot be used as authenticators. stick to a known good method that is well defined and battle hardened if you want security and safety.

And don’t roll your own crypto

Lets test just how secure a WP nonce would be, at the time of writing, this is the implementation WP uses:

function wp_create_nonce( $action = -1 ) {
    $user = wp_get_current_user();
    $uid  = (int) $user->ID;
    if ( ! $uid ) {
        /** This filter is documented in wp-includes/pluggable.php */
        $uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
    }
 
    $token = wp_get_session_token();
    $i     = wp_nonce_tick();
 
    return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
}

In the proposed scheme, this would be simplified down to:

function wp_create_nonce( $action = -1 ) {
    $i     = wp_nonce_tick();
    return substr( wp_hash( $i . '|' . $action . '||', 'nonce' ), -12, 10 );
}

So a user would need to know the action, the nonce tick, and the salt used by wp_hash. We will know the action, the nonce tick is a simple time calculation with some rounding, therefore we just need to bruteforce the salt.

We can do this by adjusting wp_create_nonce to use a version of wp_hash that cycles through every possible value for wp_salt. This will give us either the AUTH_SALT or SECURE_AUTH_SALT in wp-config.php.

From there on a chain of events occurs that allows us to impersonate anybody on your site. Mitigating this would involve the nonce_user_logged_out and devising a scheme to insert more user session based data, but this just delays the inevitable.

Related Posts:

  1. WP REST API: check if user is logged in
  2. Can’t GET draft posts via REST API from headless frontend
  3. WP REST API – Nonce passes wp_verify_nonce even after logout
  4. How to force JWT auth for default GET endpoints of WordPress rest api?
  5. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  6. Log in user using WordPress REST API
  7. Register rest field authentication with REST API
  8. How to: Make JWT-authenticated requests to the WordPress API
  9. Verify nonce in REST API?
  10. WordPress Rest API: How do we validate with our custom API key?
  11. WordPress REST API call generates nonce twice on every call
  12. How to Authenticate WP REST API with JWT Authentication using Fetch API
  13. authentication issue with rest api – rest_cannot_create
  14. Can I authenticate with both WooCommerce consumer key and JWT?
  15. How to login to WordPress site using basic authentication HTTP headers?
  16. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  17. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  18. Create Session with JWT
  19. Full page NGINX (or Cloudflare) caching and WordPress nonces
  20. WordPress REST API, Expired Nonce from Cache results in 403 forbidden
  21. Passing a borrowed nonce through Postman fails
  22. how to send Ajax request in wordpress backend
  23. permission_callback has no effect
  24. WP REST API GET Requests require authentication
  25. current_user_can(‘administrator’) returns false when I’m logged in
  26. Authenticating with REST API
  27. Make authorization mandatory on custom routes
  28. Authentication with the Rest API when using an External Application
  29. REST API: best place to set current user for JWT auth?
  30. WordPress + REST API v2 and private pages Load by slug
  31. REST API authentication for a plugin
  32. PHP: authenticate for a REST request?
  33. Is it Ok to restrict Access-Control-Allow-Origin for /wp-json requests?
  34. Rest API basic auth not working
  35. Authenticate current user to REST API
  36. Getting 401 from ajax using an application password
  37. How to connect android app with WordPress website?
  38. WordPress REST API calls that depend on the WordPress User
  39. Backbone with custom rest endpoints
  40. WordPress HTTP API NTLM Authentication
  41. Advanced Access Manager: RESTful endpoint to refresh token
  42. Best Authetication between REST API and Mobile App
  43. How to verify which WordPress user requested the API in ASP .NET Core?
  44. Secure WordPress API, how?
  45. register/login api
  46. How can I secure my custom rest api endpoint or add under a already existing rest group
  47. REST API Integration without user account?
  48. WP REST API with Basic Auth at target website
  49. Is my WordPress site handing out sensitive information/misconfigured?
  50. Securing REST API wp-json/wp/v2/users endpoint
  51. Cant POST with REST API on WordPress
  52. REST API – Authentication/Logon security
  53. Rest API nonce is being cached
  54. custom REST endpoints and application passwords
  55. wordpress rest api authentication failed
  56. WordPress 4.7.1 REST API still exposing users
  57. Adding WordPress API Endpoint With Multiple Parameters
  58. Basic auth WordPress REST API dilemma
  59. Match REST API post output from custom endpoint
  60. Handling nonce generation in AJAX registration process
  61. Build on same WordPress or different install?
  62. Not all featured image sizes available in Rest API
  63. When must I use and verify nonce?
  64. How to block all REST API endpoint except which I wrote custom?
  65. Identical wp_rest nonce returned from rest_api
  66. Authentication with internal WP_REST_Request and rest_do_request()
  67. WordPress Rest API custom endpoint for RSS feed
  68. How to add a custom REST field to limit data when fetching?
  69. WordPress JSON data to and from database to be shown on rest point
  70. rest api request including meta_query filter
  71. wp_nonce_field displaying twice
  72. Is it safe to use a global wp nonce per user instead of a nonce per action?
  73. Filter DELETE REST API calls
  74. JWT on Woocommerce cannot work with “Customer” role user
  75. Update user meta via REST API?
  76. How to call wp plugin REST functions without curl?
  77. Disable part of endpoints wordpress api
  78. Get a term object using getEntityRecords
  79. Restrict Access without Creating Users
  80. How to add an endpoint to WP
  81. How to set up the REST API to refer to media on a CDN
  82. REST API connection on another site with post information and permalink
  83. trigger WordPress rest any API call
  84. Uploading picture via REST API
  85. How to modify the HTML output of Gutenberg block? (Youtube)
  86. whether a nonce is required for get type and get_query_var?
  87. Can I use REST API if the site is protected with .htpasswd
  88. CSRF attack to create USER
  89. Accessing secure endpoint with X-WP-Nonce?
  90. Return all custom taxonomy terms for post in REST API v2? Currently limited to 10 terms
  91. Rest api request throttling
  92. Properly process a custom WP REST API request (Authenticate, Authorize + Validate)?
  93. Social login authentication via wordpress rest api
  94. Calling a Rest API with parameters on button Click
  95. WordPress json – How to use the content rendered from json
  96. WordPress REST API function not calling from external site
  97. Issue with API after 6.2 update
  98. Verify user login and password over api
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes