Comment by mdaniel

Comment by mdaniel 8 days ago

View on Hacker News

https://portswigger.net/web-security/access-control/idor

It's not, by itself, deadly but it does lower the safeguards against ACL slip-ups, which could easily exfiltrate the entire customer base

gooosle 5 days ago

What safeguards? Obfuscating your IDs by... replacing them with one-to-one mapped other IDs?

Reply View 2 replies

mdaniel 4 days ago

I believe one can readily agree that https://example.com/profiles/gooosle and https://example.com/profiles/mdaniel are not sequential and thus not subject to enumeration in any reasonable way. A concrete example of defense against this is: please link to the HN username of an account which has never posted
The other very common pattern is https://example.com/profiles/852c1a9a-29ae-4638-9d82-50e0d40... or its b36 encoding which are shitty for reading over the phone but otherwise definitely safe from enumeration

Reply View | 1 reply
- gooosle 2 days ago
  
  First of all exposing IDs and having non-enumerable IDs are completely different things.
  Second, HN usernames are 100% enumerable. 'asdfgf' is an example of account which has never posted.
  
  Reply View | 0 replies