Fuck you "hackers"! You make my life miserable...

No longer can anyone simply enter their user name and password to enter an online app...

Now we as programmers have to leap from one fiery hoop on the precipice of a death defying cliff to another acidic hoop in some mystical forgotten cavern of the underworld just so our users can log in securely to our app... sigh... I'm looking at you Auth0 and Microsoft SSO / AAD !!!111oneeleven

I mean wtf even is a nonce?!

https://urbandictionary.com/define....

**gosh**

I'm so fuckin confused as to what a nonce has to do with your rant.

It's time for me to sleep apparently.

It is a crypto term - means a random chunk of bytes.
Same as this rant.

It can also be a random number or anything unpredictable. The whole point of csrf is that you send the user something he has to send back, that's tied to his session and changes on every request

This was a foreign site can't replay your calls because the nonce wont match anymore, thus you prevent cross site forgery i.e. a different client pretending he's you because he captured or stole your requests and tried to replay them with modified data.

For example if you send 50$ to your friend and an attacked captures that request and changes the recipient to his own account and tries to replay it to steal your money, he can't, because he doesn't know the new nonce and the old was only valid for that one request that you already sent...

In short, nonce is to be repeated back to the server and new will be given, nothing else

Might want to read up a bit on security, it's definitely not something you want to deal with without prep.

A nonce is basically a random number that's used once in a cryptographic setting. They're useful for initializing crypto algorithms, protecting from replay attacks, etc.

Are you fucking kidding me. You develop bloody webapps. A task that was suspiciously easy already in the 2000s. It gradually (and predictably) got harder, now it requires approximately a tenth of the effort needed for every single other fucking industry. And you whine about how security is hard.

@Lor-inc now this is what i downloaded dR for. Fuck that was satisfying to read, especially as a security guy.

@Lor-inc seriously I came here to rant and now you're ranting about me ranting... It's good to know that this place is not for ranting. Thanks

@AcidFoxx It is. That's what we're both doing. However, it's also a social platform, so arguments happen. Another consequence of it being a social media platform is that you are free to ignore my comment if it gives you bad feelings, you don't have a comeback, don't enjoy arguments, feel like I'm an idiot or don't want to admit that you're wrong. I wouldn't even know why you didn't answer, and that's fine.

@Hazarth So cross site forgery is a man in the middle attack?

So nonce can be only used once but what it the hacker captures the next nonce and sends his request with it before you do it?

@Gregozor2121 Ah, no, its not an MitM attack, I didn't describe it properly. Its closer to social engineering, as an attacker you want to convince the user to make a request that you "forged" or simply given to him. Like say you get an email from facebook that asks you to click a link to verify something, or to view the newest hot trends! Well if the email is from an attacker he can instead send you a link that deletes your account, or messages someone, might even include javascript, but it essentially links to facebook.com and so the users computer executes it there as a valid client, submits whatever forms the attacker wants to and since you're already logged in or since you have no reason to not log in, you'll happily run the attackers link and even log in yourself for him. the attacker can even include such a link on the website directly, let's say chat, forums, comments... However what he can't do is predict the nonce, and the link wont work then, instead it can warn you

@Gregozor2121 simply put, if devrant wasn't protected, I could send you an email saying

Dear devRanter,
Check out this new swag we have!

We will send you a free piece of swag if you <form action="www.devrant.com/newRant">
<Input type="hidden" value="Hello, I clicked a link!">
<Input type="submit" value="Click here!">
</form>

...

I could easily style the submit button as a link, the form is invisible for everything else, and if you click it and you're logged in it will execute or ask you to login first by devrant itself.

However if devrant uses csrf it would also expect me to send the correct nonce with that form, which I can't know because a new is issued with each form (or any important request)