Reputation:
Mongo ObjectIDs: Safe to use in the wild?
I'm designing an API that interacts with MongoDB.
Now the question is, if it is safe to use the raw ObjectID to query for objects etc. Could any security issues arise when using the OIDs directly (e.g. in queries), or should I encrypt/decrypt them before they leave my server environment?
Upvotes: 9
Views: 2950
Answers (2)
Reputation: 1132
Look at BSON Object ID specification here and you will know if it is safe for you to use.
If you try to protect from users sending different URLs from scripts (fuskators) then it seems for me it has weak security. There won't be too many 'machine', 'pid' part combinations. 'time' part can calculated if attacker can have an idea how data was inserted (especially if using batch). 'inc' - very weak.
I won't trust ObjectIDs as the only security.
Please note there can't be a right answer to the question "is it safe" in general. You must decide yourself.
PS. But keep in mind that such URL-based security will fall to dust when users will share URLs they visited. Even best your encryption won't help.
Upvotes: 10
Reputation: 5429
I think it isn't much times safer, if you don't share the object ids, because a possible attacker, which would know a possible security issue, could also use a brute force attack or something else to get the object ids.
Eventually this question may help you also.
Upvotes: 1
Related Questions
- Using UUIDs instead of ObjectIDs in MongoDB
- MongoDB - Can I use ObjectId as Key?
- Is it OK to store Mongo _id as a string, instead of ObjectId
- Are there any reasons why I should/shouldn't use ObjectId's in my RESTful url's
- Are Mongodb ObjectIds GUIDs?
- C# mongodb ObjectId useage risks
- Is using unique usernames as _ids in mongodb instead of ObjectId a good practice?
- Are IDs (ObjectIds from mongo) safe to use in a URL?
- DDD and MongoDB: Is it okay to let Mongo create ObjectIDs?
- Is it bad practice to use a mongo ObjectId as a user's id?