API设计和安全性：为什么要隐藏内部ID？ [英] API design and security: Why hide internal ids?

问题描述

我听到一些人说，你永远不应该暴露你的内部ID给外界（比如一个auto_increment'ng主键）。

I've heard a few people say that you should never expose your internal ids to the outside world (for instance an auto_increment'ng primary key).

有人建议有某种UUID列，你改用进行查找。

Some suggest having some sort of uuid column that you use instead for lookups.

我不知道真的为什么会提出，如果它是真正重要的。

I'm wondering really why this would be suggested and if it's truly important.

使用UUID而不是基本上只是混淆的标识。重点是什么？我能想到的唯一的事情就是auto_incrementing整数明显指出我的数据库对象的排序。如果外部用户知道的一件事是之前创建/陆续有什么关系？

Using a uuid instead is basically just obfuscating the id. What's the point? The only thing I can think of is that auto_incrementing integers obviously point out the ordering of my db objects. Does it matter if an outside user knows that one thing was created before/after another?

抑或是纯粹是混淆的ID将prevent猜测在特定的对象不同的操作？

Or is it purely that obfuscating the ids would prevent "guessing" at different operations on specific objects?

这是连我应该考虑设计一个面向外部API时的一个问题？

Is this even an issue I should thinking about when designing an external facing API?

推荐答案

这是您提供的应用程序及其布局的恶意用户能够而且将会对你的应用程序中使用的任何信息。其中我们在（网络）应用安全所面临的问题是，在一个项目的起步阶段采取看似无害的设计决策成为死穴当项目扩展更大。让有关实体的排序攻击者作出明智的猜测可以回来困扰你在下面，有点不相关的方式：

Any information that you provide a malicious user about your application and its layout can and will be used against your application. One of the problems we face in (web) application security is that seemingly innocuous design decisions taken at the infancy of a project become achilles heels when the project scales larger. Letting an attacker make informed guesses about the ordering of entities can come back to haunt you in the following, somewhat unrelated ways:

1. 实体的ID将不可避免地为在你的应用某些点参数传递。这将导致最终的黑客能够养活你的应用程序参数的一般他们不应该访问到。我个人已经能够看到，我没有业务观看，作为一个URL参数毫不逊色订单的详细信息（在一个非常受欢迎的零售商的网站）。我只是从我自己的合法秩序喂应用顺序编号。

1. The ID of the entity will inevitably be passed as a parameter at some point in your application. This will result in hackers eventually being able to feed your application arguments they ordinarily should not have access to. I've personally been able to view order details (on a very popular retailer's site) that I had no business viewing, as a URL argument no less. I simply fed the app sequential numbers from my own legitimate order.

知道了限制，或者至少主键字段值的进展是SQL注入攻击，范围由我不能在这里盖宝贵的素材。

Knowing the limits or at least the progression of primary key field values is invaluable fodder for SQL injection attacks, scope of which I can't cover here.

使用键值不仅在RDBMS系统，但其他键 - 值映射系统。试想一下，如果JSESSION_ID饼干顺序可以predetermined或猜到？每个人都与生拇指将在重播Web应用程序会话。

Key values are used not only in RDBMS systems, but other Key-Value mapping systems. Imagine if the JSESSION_ID cookie order could be predetermined or guessed? Everybody with opposable thumbs will be replaying sessions in web apps.

和更多的，我敢肯定其他的脂肪酶在这里将拿出。

And many more that I'm sure other ppl here will come up with.

海豹突击队6并不一定意味着有6海豹突击队。只是让敌人猜测。而花费的时间由一个潜在的攻击者猜测是在你的口袋里更多的钱，你切的任何方式。

SEAL team 6 doesn't necessarily mean there are 6 seal teams. Just keeps the enemy guessing. And the time spent guessing by a potential attacker is more money in your pocket any way you slice it.

这篇关于API设计和安全性：为什么要隐藏内部ID？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！