This is probably a noob question BUT hear me out – isn’t the point of using Nonce to protect from things like scrappers (phpcurl scrappers etc.)? But my Nonce prints out in the head of the document like so:
/* <![CDATA[ */
var nc_ajax_getpost = {
...stuff...
getpostNonce: "8a3318a44c"
};
/* ]]> */
So if I was building a quick scrapper I would just get the nonce value from that page and then use it in my POST…making the whole exercise of using a Nonce useless…
What am I missing here?
2 s
Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want.
Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by clicking a link or submitting a form. So they, themselves, perform this action (unintentionally), not the attacker.