Is nonce useless when user input is reflected within an inline script?

I stumbled upon a web app which is accepting user input and putting it into a variable within script tag.

The script tag does have a nonce attribute.

enter image description here

As am working on bypassing the XSS filter, I had this thought that this practice of reflecting user input within an inline script with nonce attribute renders nonce useless.

Is my understand correct or am I missing something here ?

Go to Source
Author: Rahul

How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?

A nonce is supposed to first help me against CSRF and help against replay attacks is just a bonus if I “personalize” the nonce to something like pay-user-{id}, but here’s the problem – if my link looked like /wordpress/admin_ajax.php?action=pay-user&id=20&security=ej3548 I have 2 cases to take care of:

  1. I created a nonce without the specific user ID, pay-user – if an attacker obtains the nonce, he can make me click that link and pay any user.
  2. I created a nonce with the specific user ID, pay-user-{id} – if an attacker obtains the nonce, he can only make me replay that request, since the nonce was made to verify that specific (to {id}) action.

But that’s still an issue in a lot of cases, paying someone is a prime example. I can’t be made to pay someone else, but if I make that request 10 times, I’ll pay that specific person 10 times.

Is there no specific “per request” hashing?

What to do?

Go to Source
Author: Daniel Simmons