Reputation: 5120
Asp MVC 2: Obfusicate Entity-IDs
Project type: Asp MVC 2/NHibernate/C#
Problem
If you have an edit page in an web application you will come to the problem that you have to send and then receive the id of the entity you're editing, the IDs of sub-entities, entities that can be selected by dropdownmenus,...
As it is possible to modify a form-post, an evil user could try to send back another ID which maybe would grant him more rights (if i.e. that ID was related to a security entity).
My approach
- Create a GUID and associate it with the ID
- Save the association in the http session
- Wait for the response and extract the real ID out of the received GUID.
Question:
What techniques do you use to obfusicate an entity-ID?
Upvotes: 0
Views: 201
Answers (2)
Reputation: 18353
If you're doing that much for GUIDs, why not just use GUIDs for the identity of the entity itself that's actually stored in the database (though I'd advise against it)?
Or you could have a server side encryption scheme that encrypts and then subsequently decrypts the id (this is a long the same lines as what you're doing except you're not storing anything random like this in the session (yuck :) ).
You could even forget trying to do this at all since a lot of sites are "affected" by this issue, and it's obviously not a problem (StackOverflow for example). The overhead is just too much.
Also, if you're worried about security, why don't you have some sort of granular permissions set on the individual action/even entity level. This would solve some problems as well.
EDIT:
Another problem with your solution is inconsistent unique identifiers. If a user says "ID as23423he423fsda has 'invalid' data", how do you know which ID it belongs to if it's changing on every request (assuming you're going to change the id in the URL as well)? You'd be much better of with an encryption algorithm that always hashes to the same value therefore, you can easily perform a lookup (if you need it) and also the user has consistent identifiers.
Upvotes: 2
Reputation: 28856
Your controllers should be immune to modified POST data. Before displaying or modifying records belonging to a user, you should always check whether the records in question belong to the authenticated user.
Upvotes: 1
Related Questions
- Obfuscation for Asp MVC using SmartAssembly or CryptoObfuscator
- ASP.NET MVC Hashing Sensitive Data (EF)
- Encrypting an id in an URL in ASP.NET MVC
- How secure the EntityId in hidden field for Editing Form in Asp.Net Core MVC?
- AutoGenarate ID with a prefix in .net MVC
- Most effective method of protecting an entity ID when posting back from a view
- Information hiding with EF generated entities
- URL obfuscation
- User ID obfuscation
- Obfuscating a .NET Web application