0

I'm learning mongoDB (and mongoose) at the moment (on an express server). I hava a database with an array of multiple objects. (Something like this):

{texts: [{s: "a"}, {s: "b"}, {s: "c"}]}

The objects have _id attributes. (59613f576db598107269eea7, 59613f576db598107269eea8, 59613f576db598107269eea9, 59613f576db598107269eeaa)

My plan is doing something like this (visible for the visitor):

<input id="59613f576db598107269eea7" value="a" />
<input id="59613f576db598107269eea8" value="b" />
<input id="59613f576db598107269eea9" value="c" />

What can the visitor of my page do if he knows those keys? Do they tell anything about the number of the objects in my database? Do they tell anything about the time when they were stored? ...

hardfork
  • 2,470
  • 1
  • 23
  • 43
  • Possible duplicate of [Is it ok to use Mongo's "Object ID" as its unique identifier? If so, how can I convert it to a string and look it up by string?](https://stackoverflow.com/questions/4176692/is-it-ok-to-use-mongos-object-id-as-its-unique-identifier-if-so-how-can-i-c) – Aubin Jul 09 '17 at 09:27
  • This is a Bad Idea TM. You leak the raw database id to an attacker - the attacker can then use that id to send bad requests. Unless you have very good validation on the server side, this will lead to **database injection** attacks. Use a synthetic id with business meaning. – Boris the Spider Jul 09 '17 at 09:28

1 Answers1

1

The object id is a 12-byte internal id in a collection and exposes the following information:

  • 4 bytes representing the seconds since epoch
  • 3 byte machine identifier
  • 2 byte process id
  • 3 byte counter

This can be read on the MongoDB Manual.

This is a security risk as you are leaking this information to potential attackers in the internet.

It is better to design a primary key that gives actual meaning to the key fields as a commenter said.

In MongoDB it is possible, though not recommended, to define your own object id.

Ely
  • 10,860
  • 4
  • 43
  • 64
  • thanks. That makes sense. But how can I easily realize my plan? I have 3 inputs and I want to edit the CORRECT value in my texts-array when the input changes. I've used SQL so far and "auto increment" was the solution in SQL. Is "sha-1 hashing the ObjectID" useful in your oppinion or setting a new primary key (textID with values 0,1,2,3,4...) – hardfork Jul 09 '17 at 10:02
  • If the the 3 values are distinct then you could use the value as the key. Alternatively a counter is possible too. I suggest you ask a new question on SO if you need help with that. – Ely Jul 09 '17 at 10:53