2

I have came across a url with nonce and hash in placed which is an account activation link sent via email. The example is as followed:

http://example.com/competition/?r=user/activateaccount&ldapemail=pstinee@inboxdesign.me&source=account_activation&nonce=57b7890ce159e3c0f17493712b2ef6acb6db7477660b2f05edff442bd3&action_url=/user/activateaccount/&return_url=http://google.com&page_url=/competition/activate/CP&DUCATI=403d530c54fd23f0ce5eb7c3e508b4a4dc362518f26b17c51d98a85b&hash=a35c09b2e89610453ec9ba0a3ad75d454b634bacfa402cf26a498477c31471707095c8f6652e1ad27f4099b59a7042d50044a388e6f0ee369b0f354854b1e5b9

I am wondering is the activation link above expose any risk?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Traveller
  • 103
  • 1
  • 2
  • 8

1 Answers1

2

As long as the domain name corresponds to the expected one and that there is no blatant XSS included in the URL, the risk will most likely not depend on the URL itself but how it is handled by the remote site.

The nonce and hash as requested in your question are common in registration email and, as long as they are properly generated, do not present any security risk.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Thanks for your reminder and reply. Regarding the question above, if someone eavesdropping on the internet and able to capture the URL above, will the attacker able to for example crack the password using nonce and hash found? – Traveller Sep 08 '15 at 13:02
  • @TianneChu: Again, it depends how all this is implemented. On a sane implementation however, the nonce should be an unpredictable random number, with no link with your password, and the hash will be calculated using one or several parameters from the URL to prove that the URL has not been forged or modified (do not confuse this hash with the hash stored in the database to check your password: hashes are used for a lot of things apart from password verification!). – WhiteWinterWolf Sep 08 '15 at 13:08