Menu
I'm designing an API that interacts with MongoDB.
Now the question is, if it is safe to use the raw ObjectID to query for objects etc. Could any security issues arise when using the OIDs directly (e.g. in queries), or should I encrypt/decrypt them before they leave my server environment?
546
It's not any more unsafe that using the value of auto increment id from MySql. It's not a security breach in any way. Show activity on this post.
The science behind MongoDB object IDs Each document created on MongoDB has a unique object ID property. So when creating a document without entering an ID, the document will be created with an auto-generated ID.
A MongoDB ObjectID is 12 bytes in size, is packed for storage, and its parts are organized for performance (i.e. timestamp is stored first, which is a logical ordering criteria). Conversely, a standard UUID is 36 bytes, contains dashes and is typically stored as a string.
By default, MongoDB generates a unique ObjectID identifier that is assigned to the _id field in a new document before writing that document to the database. In many cases the default unique identifiers assigned by MongoDB will meet application requirements.
Look at BSON Object ID specification here and you will know if it is safe for you to use.
If you try to protect from users sending different URLs from scripts (fuskators) then it seems for me it has weak security. There won't be too many 'machine', 'pid' part combinations. 'time' part can calculated if attacker can have an idea how data was inserted (especially if using batch). 'inc' - very weak.
I won't trust ObjectIDs as the only security.
Please note there can't be a right answer to the question "is it safe" in general. You must decide yourself.
PS. But keep in mind that such URL-based security will fall to dust when users will share URLs they visited. Even best your encryption won't help.
114
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
