Security with get_nonce?

  • agiledigitalsolutions

    (@agiledigitalsolutions)


    3 years, 7 months ago

    I’ve just started using this plugin as I want to be able to register user accounts from a third party system.

    As I understand it, I call /api/get_nonce/?controller=user&method=register to get a nonce and then /api/user/register/?nonce=12345&username…… etc to create a user.

    How secure is this? If I’m able to retrieve a nonce and then use it to create a user, where is the layer of security to stop a hacker doing the same thing?

    Sorry if I’ve misunderstood or missed something, but the nonce almost seems irrelevant unless there is another layer of security I need to include?

Viewing 3 replies - 1 through 3 (of 3 total)

  • I believe Nonce is randomly one time use token that allows registering, the nonce is sent over a https request, the link to it should be hard to access. However, you are right if hacker can find your nonce link then… rip

    you need to change the name from /api/get_nonce, which i believe is the default to something like /api/oahsd1uk12u31uk2g34y2jfv312h3bl1k2j3bj1243v1;3io45h34lk6jnb568jj7…………………………………………….. like make it 200 characters and call it a day, The security on the app should block recursive bad calls from the same IP address

    Im sorry, edit, You cant change the /get_nonce but you can change the /api so something like /aosidhjasoudhaslkd1231241972y4129812b3hkj12312j3h12k3hgv124ljk2……./get_nonce. again, 200 characters.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security with get_nonce?’ is closed to new replies.