A nonce is supposed to first help me against CSRF and help against replay attacks is just a bonus if I "personalize" the nonce to something like pay-user-{id}, but here's the problem - if my link looked like /wordpress/admin_ajax.php?action=pay-user&id=20&security=ej3548 I have 2 cases to take care of:
- I created a nonce without the specific user ID,
pay-user - if an attacker obtains the nonce, he can make me click that link and pay any user.
- I created a nonce with the specific user ID,
pay-user-{id} - if an attacker obtains the nonce, he can only make me replay that request, since the nonce was made to verify that specific (to {id}) action.
But that's still an issue in a lot of cases, paying someone is a prime example. I can't be made to pay someone else, but if I make that request 10 times, I'll pay that specific person 10 times.
Is there no specific "per request" hashing?
What to do?
