Comment by mdaniel
8 days ago
https://portswigger.net/web-security/access-control/idor
It's not, by itself, deadly but it does lower the safeguards against ACL slip-ups, which could easily exfiltrate the entire customer base
8 days ago
https://portswigger.net/web-security/access-control/idor
It's not, by itself, deadly but it does lower the safeguards against ACL slip-ups, which could easily exfiltrate the entire customer base
What safeguards? Obfuscating your IDs by... replacing them with one-to-one mapped other IDs?
I believe one can readily agree that https://example.com/profiles/gooosle and https://example.com/profiles/mdaniel are not sequential and thus not subject to enumeration in any reasonable way. A concrete example of defense against this is: please link to the HN username of an account which has never posted
The other very common pattern is https://example.com/profiles/852c1a9a-29ae-4638-9d82-50e0d40... or its b36 encoding which are shitty for reading over the phone but otherwise definitely safe from enumeration
First of all exposing IDs and having non-enumerable IDs are completely different things.
Second, HN usernames are 100% enumerable. 'asdfgf' is an example of account which has never posted.