[wp-trac] [WordPress Trac] #50510: Improve security of wp_nonce implementation
WordPress Trac
noreply at wordpress.org
Thu Jun 24 19:13:20 UTC 2021
#50510: Improve security of wp_nonce implementation
-------------------------------+------------------------------
Reporter: chaoix | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by chaoix):
I have provided an updated implementation of my changes to the nonce
algoritm with more detailed comment.
The benefits of these changes are:
* Uses the sha512/sha256 hashing algorithm for increased nonce length and
performance improvements with longer nonce actions. Longer actions prevent
brute forcing of the nonce for known action names. MD5 was the previous
hashing algorithm used and is not secure enough for what nonces are being
used for in WordPress. https://en.wikipedia.org/wiki/MD5#Security
* Adds complexity to the nonce has algorithm to make them more difficult
to reverse engineer using rainbow tables.
* Adds a browser id to the nonce action to help prevent known hash reuse.
* Reject nonces from browsers with no or invalid user agent strings. This
will prevent lazy bots from submitting requests.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50510#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list