Questions tagged [nonce]

Question 1

I'd like to verify the following idea for combining form submission nonces and CSRF tokens. They are different concepts, but I believe we can achieve both protections with a single solution. I believe ...

Question 2

I am trying to implement a CSP policy for our Angular 18 application based on Angular's CSP recommendation and I have found that their recommendation does not make sense to me. Specifically their use ...

Question 3

I'm not a security expert, so please excuse this question if it's silly, but I would really like an answer. I am using AES GCM to encrypt and would like to combine the randomly generated nonce with ...

Question 4

Websockets don't support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. ...

Question 5

In general, I understand that nonces are used to prevent replay attacks, but in the case of a TLS 1.3 handshake, the Client/Server Hello message contains their public keys. Considering that keys are ...

Question 6

The ACME protocol defines the use of a replay nonce to prevent replay attacks. I understand what replay attacks are and why it's important to prevent them in certain scenarios. But I can't think of a ...

Question 7

I'm building an high velocity auth system, used both for user to machine and machine to machine authentication and authorization. To prevent a replay attack I'm adding a nonce to each request, but in ...

Question 8

I'm in the process of evaluating adding WebAuthn/Passkey support to a website, and I'm not really sure how to properly manage challenge nonces. My understanding is that the main reason for using ...

Question 9

Question The question is in the title, but here are more details: I want my server to have an upload endpoint (single POST for small data or multipart for larger data) where clients can upload data. ...

Question 10

In digest authentication we use something that is called cnonce. According to RFC7616: This parameter MUST be used by all implementations. The cnonce value is an opaque quoted ASCII-only string value ...

Question 11

During my pentest of a client's websites I stumbled upon the WP with vulnerable WP Statistics plugin installed. To exploit this vulnerability, I should send a JSON-API request to endpoint /json-api/wp-...

Question 12

Looking at this question Openid connect nonce replay attack and the answer by @benbotto. I understand the replay attack in implicit flow but unable to understand it for auth code flow. Let's say an ...

Question 13

SHA-256 generates a 32-byte hash, Is it a safe practice to use the first 16 as an iv (nonce) and the second 16 as a key ? What other things I should consider when using PBKDF2 in a scenario like this ?...

Question 14

I need validation / feedback please with the implementation of a web based client-server application that I am building. I need to make sure that a client's cookies can't be hijacked and therefore I ...

Question 15

I want to implement a service that can't read the data you store there. The Idea is that I, like in a password manager, use the password to derive a vault key, which is different from the ...

Stack Exchange Network

Questions tagged [nonce]

Combining nonce and CSRF for HTTP form submission

Angular's recommended CSP doesn't make sense to me

What's a good way to append a nonce to ciphertext in Python for AES GCM in Python?

Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?

What purpose do nonces serve in the TLS 1.3 handshake?

Possible scenario for replay attack in acme protocol

Adding salt to TOTP

How to properly manage WebAuthn challenges?

Verifying that certain data is encrypted (or at least indistinguishable from random data)

What is cnonce in Digest Authentication

How to obtain "wp_rest" nonce for WP Statistics plugin manually?

Openid nonce replay attack in auth code flow

Can I use part of PBKDF2 output as an IV (nonce)?

Using predictable incrementing nonces

Multiple devices encrypting data using the same key?

Hot Network Questions