0

Project type: Asp MVC 2/NHibernate/C#

Problem

If you have an edit page in an web application you will come to the problem that you have to send and then receive the id of the entity you're editing, the IDs of sub-entities, entities that can be selected by dropdownmenus,...

As it is possible to modify a form-post, an evil user could try to send back another ID which maybe would grant him more rights (if i.e. that ID was related to a security entity).

My approach

  1. Create a GUID and associate it with the ID
  2. Save the association in the http session
  3. Wait for the response and extract the real ID out of the received GUID.

Question:

What techniques do you use to obfusicate an entity-ID?

TheCloudlessSky
  • 18,608
  • 15
  • 75
  • 116
David Rettenbacher
  • 5,088
  • 2
  • 36
  • 45

2 Answers2

2

If you're doing that much for GUIDs, why not just use GUIDs for the identity of the entity itself that's actually stored in the database (though I'd advise against it)?

Or you could have a server side encryption scheme that encrypts and then subsequently decrypts the id (this is a long the same lines as what you're doing except you're not storing anything random like this in the session (yuck :) ).

You could even forget trying to do this at all since a lot of sites are "affected" by this issue, and it's obviously not a problem (StackOverflow for example). The overhead is just too much.

Also, if you're worried about security, why don't you have some sort of granular permissions set on the individual action/even entity level. This would solve some problems as well.

EDIT:

Another problem with your solution is inconsistent unique identifiers. If a user says "ID as23423he423fsda has 'invalid' data", how do you know which ID it belongs to if it's changing on every request (assuming you're going to change the id in the URL as well)? You'd be much better of with an encryption algorithm that always hashes to the same value therefore, you can easily perform a lookup (if you need it) and also the user has consistent identifiers.

Community
  • 1
  • 1
TheCloudlessSky
  • 18,608
  • 15
  • 75
  • 116
  • "Why not just use GUIDs for the identity of the entity itself that's actually stored in the database?" - I'm an Int 32 fan ;) Encrypting and dectypting was one thing I already thought about but then I want it to be "request unique". – David Rettenbacher Dec 20 '10 at 12:51
  • ... maybe encoding the ID somehow in connection with the current time and sending that time as an hidden field would achieve that... – David Rettenbacher Dec 20 '10 at 12:53
  • @Warappa - I'm an `int` fan myself too, just thought I'd put it out there. Remember, there's the potential that some poor schmuck is going to have to maintain this in the future and you'd like to make their life a lot easier as well. I've edited my post with some more information. – TheCloudlessSky Dec 20 '10 at 13:01
  • I will make a mix of ID encryption (where sensible) and doing some user rights verification on the action level. Thanks for your help! – David Rettenbacher Dec 20 '10 at 13:14
1

Your controllers should be immune to modified POST data. Before displaying or modifying records belonging to a user, you should always check whether the records in question belong to the authenticated user.

Petrus Theron
  • 27,855
  • 36
  • 153
  • 287
  • 1
    This is the way to go. Trying to encrypt your id field or use GUID's won't make your web app safer if you don't check the user's authorization to edit the data. – ZippyV Dec 21 '10 at 08:38