Are Nonces Useless?

The question:

This is probably a noob question BUT hear me out – isn’t the point of using Nonce to protect from things like scrappers (phpcurl scrappers etc.)? But my Nonce prints out in the head of the document like so:

/* <![CDATA[ */
var nc_ajax_getpost = {
    ...stuff...
    getpostNonce: "8a3318a44c"
};
/* ]]> */

So if I was building a quick scrapper I would just get the nonce value from that page and then use it in my POST…making the whole exercise of using a Nonce useless…

What am I missing here?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want.

Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by clicking a link or submitting a form. So they, themselves, perform this action (unintentionally), not the attacker.

Method 2

http://en.wikipedia.org/wiki/Cryptographic_nonce

“In security engineering, nonce is an arbitrary number used only once to sign a cryptographic communication. … It is often a random … authentication protocol to ensure that old communications cannot be reused in replay attacks. “

The idea is to stop the submitting of repeat data. You create a single-use unique identifier personal to you, so that when you submit data, it can only be done once. It has nothing to do with browsing your site. Which is what site scraping does. How would you differentiate between a scraping bot and a trawling bot (like Google)?


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment