Hacker News new | past | comments | ask | show | jobs | submit login

https://portswigger.net/web-security/access-control/idor

It's not, by itself, deadly but it does lower the safeguards against ACL slip-ups, which could easily exfiltrate the entire customer base




What safeguards? Obfuscating your IDs by... replacing them with one-to-one mapped other IDs?


I believe one can readily agree that https://example.com/profiles/gooosle and https://example.com/profiles/mdaniel are not sequential and thus not subject to enumeration in any reasonable way. A concrete example of defense against this is: please link to the HN username of an account which has never posted

The other very common pattern is https://example.com/profiles/852c1a9a-29ae-4638-9d82-50e0d40... or its b36 encoding which are shitty for reading over the phone but otherwise definitely safe from enumeration


First of all exposing IDs and having non-enumerable IDs are completely different things.

Second, HN usernames are 100% enumerable. 'asdfgf' is an example of account which has never posted.

reply




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: