ajax – How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?

A nonce is supposed to first help me against CSRF and help against replay attacks is just a bonus if I “personalize” the nonce to something like pay-user-{id}, but here’s the problem – if my link looked like /wordpress/admin_ajax.php?action=pay-user&id=20&security=ej3548 I have 2 cases to take care of:

  1. I created a nonce without the specific user ID, pay-user – if an attacker obtains the nonce, he can make me click that link and pay any user.
  2. I created a nonce with the specific user ID, pay-user-{id} – if an attacker obtains the nonce, he can only make me replay that request, since the nonce was made to verify that specific (to {id}) action.

But that’s still an issue in a lot of cases, paying someone is a prime example. I can’t be made to pay someone else, but if I make that request 10 times, I’ll pay that specific person 10 times.

Is there no specific “per request” hashing?

What to do?

Give me one good reason Trump shouldn’t be president?

Notice that the only things close to a “good” reason, given was the laundry list of “charges” lodged against Trump which were debunked during the impeachment inquiry! I’m guessing @Andre L didn’t know that.

Those who use COVID-19 deaths NEVER explain when he should or could have done differently! Everything else is personal unvalidated bias that is ignorant of the things he’s accomplished or guts he has shown since the beginning of his presidency( listed below)!. Why do you think that is.

Conservative voters got fed up with politicians who forgot why they got elected when they went to Washington. They get caught up in the politics, the political minutia and lose the nerve to do what they feel is right. Many Conservative voters thought they saw something in Trump and thought he wouldn’t be prone to that. They turned out to be very right, more so than they ever thought. This is why support for Trump has done nothing but grow since 2016, even by those who are put off by his bloviating antics.

What Trump has done in the last 3 years is turn the economy around into the strongest economy the country has seen in the last 15 years at least. He has taken on tough problems other presidents kicked the can down the road on for decades. This includes illegal immigration. It includes trade issues with China on issues like American intellectual property, trade imbalances and too much dependency on them in areas manufacturing, this now on full display due to COVID-19. He pushed through a major new US, Canadian, Mexican trade partnership (USMCA), eliminating a number of problems with the old one (NAFTA). He has taken a very visible stance with the pro-life movement.

Even though the economy, the stock market and American lives in general have taken a serious hit from the coronavirus. The economy is still fundamentally strong thanks to Trump’s work over the past 3 years (at least for a while longer). The market is starting to come back. Although some stocks will be legitimately adversely effected for the near future due to supply chain and travel issues. This fundamental strength is what will help it recover. States are also slowly starting to let business reopen. This is unlike the crash of 2008, where the economy had systemic problems that needed fixing before it could recover.

Trump implemented restrictions on travel from China in January. Liberals called him “racist” for doing so. They were the ones who still hadn’t got a grasp of the danger presented by the Chinese coronavirus yet, not Trump. More travel restrictions from other regions as well as other actions were implemented soon after. Trump has been ahead of the game from the beginning.

cache – What do I do if my WordPress site is suddenly sanitizing portions of URLs it shouldn’t?

Nobody has touched wp-admin for this site in weeks. Suddenly, URLs are being sanitized in ways that break everything. The question marks of query parameters are being replaced with URL escape code %3F, which is obviously breaking nearly every script and stylesheet include that’s affected. The result is content like this:

<script type='text/javascript' src="https://wordpress.stackexchange.com/wp-content/plugins/woocommerce/assets/js/select2/select2.full.min.js%3Fver=4.0.3"></script>

<script type='text/javascript' src='wp-includes/js/wp-embed.min.js%3Fver=5.4.1'></script>

Some, but not all URLs in the document are affected. Scripts and some anchor elements are affected.

In addition to this URL madness, it seems like portions of the main site are being included in every single page – i.e., the homepage’s markup is being embedded within wp-admin pages, etc.

The effect is that the site can essentially not be used – large dynamic portions of pages, especially the main landing page, simply fail to load or appear malformed due to missing scripts and stylesheets.

I should add that it’s nearly impossible to navigate wp-admin given the absurd state that it’s in at the moment, so I can’t really find my way around to do regular diagnostics.

How do I even begin to fix something like this? If this wasn’t a moneymaking site with plenty of content I haven’t even touched (‘the last guy’ decided to install dozens of plugins whose purposes are difficult to decipher, are possibly redundant, and might break everything if removed) I would gladly just reinstall everything.

I have attempted:

  • Removing a “WP Fastest Cache” plugin which, according to some, ‘breaks everything’ as of this month. Edit: It looks like this plugin is parasitic. After deactivating it, clearing my local cache, etc., pages still contain a comment marking them as having been cached by it…

  • Visiting and re-saving permalink settings in wp-admin as suggested by a comment I found in a similar issue elsewhere.