2
Considering a very basic example: suppose there is a web system in which the user can view his profile (and other users) through a unique identifier passed to a route, for example:
https://sistema.io/profiles/<identificador>
Then it was chosen to use the ID field of the entity that contains the data of that user persisted in my BD. So, assuming my system has a João user who had his identifier generated in the record as 100, your profile could be accessed through the following link:
https://sistema.io/profiles/100
My question is: is exposing this type of data (the ID, the table’s primary key) a serious security problem? Here I used the example of the URL, but it could be any example in which the Primary key be exposed to those who are using the application.
I’ve heard a lot that this is serious because of the relationships that the entity may have but I don’t understand how it would cause a security breach in my application without having a clear example.
I’ve seen examples like this, but the guys used one How the Global Unique Identifier (GUID)? instead of a sequential id.
– Marconi
I believe it is a security flaw, however, in the context of your app, that ID may have numerous meanings in your application. It all depends on how it is used. The stackoverflow itself exposes these Ids > https://answall.com/questions/357895
– Query
@Query And why do you think it’s a security breach?
– Woss
@Andersoncarloswoss Because if there is no method to check access or write permissions, an "advanced" user may be able to access all application users by increasing the ID.
– Query