Bill Moseley wrote:
What you are proposing is if item 7 is instead encoded as
84bc3da1b3e33a18e8d5e1bdd7a18d7a then they are less likely to try
other numbers because of, ... why? Because it's too daunting of a task?
It's a big scary md5 instead of a primary key?
Well, in a way. Because the space they need to search to find the "next"
item in a md5 or similar scheme is many orders of magnitude larger than
in a system where the numbers are consecutive (i.e. o(1)).
Of course, what you want is a method that requires checking that the
user can access the item. Something like:
$item = $user->get_user_item( $id );
The problem comes when you have an intersection between public data, and
not yet public data.
A real-world example that comes to mind was the CMS of a cineplex. They
uploaded promotional material for forthcoming movies. Part of the CMS
was the image store which was directly accessible to Apache, so it could
serve the pictures with maximum efficiency. The CMS implemented before I
was on the project used consecutive numbers for the pictures, and they
saw from their logs (and posts on adolescent-frequented forums) that
visitors would try to get higher numbers, in order to see which movies
were coming, so they could post first in the forums and brag about their
knowledge. This was a problem because they were contractually obligated
not to hint about coming movies until the appropriate information
release date.
Simply assigning the pictures random names in a very large (I think it
was 64 character) string space completely stopped those attempts, with
minimal code changes. Separating the image storage into a
"open" image storage and "closed" image storage would have meant bigger
code changes.
The same thing could happen when you have an on-line shop where items
are potentially visible when they are entered into the shop system, but
not yet listed in the indices. You very probably don't want
those items visible, and while checking at every step if the item is
valid is a laudable practice, which should be followed, giving your
items randomized identifiers can still significantly reduce
your attack surface, for very little cost.
I'm not saying it's a panacea, or that it should be practiced to the
exclusion of other methods, but it is IMHO, a viable part of any defense
in depth.
_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
