0

Good day everyone.

I would just like to run this scenario past you to ensure that I don't have any gaping holes in my approach.

What I want to achieve.

1.Send a mail to a client with a url + parameter that can uniquely identify the client when he clicks on the url and the parameter gets sent to my express server.

2.My express app receives the parameter and decodes it to retrieve the parameter from the encoded string so that I can do a lookup of the customer.

My approach

1.When sending the mail I generate a base64 encoded string that uses the customer_id + '~' + customer_name as the url parameter on the mail I send out.

I also url encode the string.

2.When the user clicks the url and the request gets to my express server I decode the string to retrieve the customer details (customer_id and customer_name) then do a lookup for the customer.

The information I'm displaying is semi sensitive so I don't want anybody tampering with the url to see another client information.

Is my approach correct?

Thank you guys!

mscdex
  • 104,356
  • 15
  • 192
  • 153
vanzylv
  • 841
  • 2
  • 10
  • 22

2 Answers2

2

This is not that secure. Since you mentioned you are concatenating customer ID + name and just converting to base64, a knowledgeable user could simply decode it and then try variations to "potentially" access other users records.

As a general rule of thumb is not to pass any customer info as link parameter if its sensitive. Instead, create a UUID and store in against the customer record. I personally even set TTL on this UUID. Its a bit more harder to guess and a bit more secure. Then pass that as the link's parameter which could be used for lookup and further processing.

Hope this helps!

user3658423
  • 1,904
  • 5
  • 29
  • 49
  • Ok great,I see.I use a mongo db and it has a object _id for each field,made up of a 4-byte value representing the seconds since the Unix epoch, a 3-byte machine identifier, a 2-byte process id, and a 3-byte counter, starting with a random value.That should work right? – vanzylv Dec 13 '15 at 07:24
  • Yes, I use mongodb as well. Mongo's object ID is what I use. – user3658423 Dec 13 '15 at 08:11
1

While the original approach is not secure, using MongoDB's ID's is not secure either. See this related question.

Unfortunately, MongoDB ID's are guessable, as they were not designed to be used as a source of entropy.

But it really depends on the value of what you are protecting with these URL's, and how much you are willing to compromise security for the sake of convenience. MongoDB ID's are certainly better than the original approach, and may be secure enough for you to be willing to accept the risk.

But if I saw that in your application while performing a security audit, I would mark it as a weakness and recommend that you use a Cryptographically Secure Psuedo-Random Number Generator ( CSPRNG ) such as /dev/urandom.

Community
  • 1
  • 1
Jon Lamendola
  • 91
  • 4