0

I am creating a web app using MongoDB as my DBMS.

I need a way to uniquely identify which object the user has pressed in a list on the screen and relate this back to a unique document in the database.

I have always been curious:

Is it a bad idea to output (say as a class nam, id or name of an HTML element) the raw mongo _id value of my document?

It would give away the fact that I am possibly using MongoDB and give unnecessary intel to an attacker? Would this be a major issue?

I could just use a simple two-way encryption method like XOR, but is it really necessary?

For example, this would appear directly to the user, where they can clearly see the document document id by examining the raw HTML.

<input type="hidden" name=elements[] value="29b34f28b28c1832">
<input type="hidden" name=elements[] value="54530d6e324f6f9a">
Community
  • 1
  • 1
iamyojimbo
  • 4,233
  • 6
  • 32
  • 39
  • You might find this helpful, as it's exposing the Id even more directly: http://stackoverflow.com/questions/19029174/are-there-any-reasons-why-i-should-shouldnt-use-objectids-in-my-restful-urls/19031308#19031308 – WiredPrairie Nov 23 '13 at 12:47

1 Answers1

1

Yes, these ids can suggest to an attacker that:

  • you are using Mongodb
  • at what time that document was created
  • and may be some other things

But keep in mind that there can be some other things that use 12-byte hex as identifiers. Also knowing just an id in any other ways can compromise your security and if the security of your application depends mostly on the premise that people would not be able to know what database are you using, then you would rather not post such questions on SO. (this link is just for fun)

Community
  • 1
  • 1
Salvador Dali
  • 214,103
  • 147
  • 703
  • 753
  • haha, yes I was going to say that I suppose I have already compromised the identity of my DBMS by posting this question :-) – iamyojimbo Nov 23 '13 at 05:55