WebApp Sec mailing list archives
Insecure Ids - Need explanation
From: susam_pal () yahoo co in
Date: 17 Apr 2006 16:18:31 -0000
This is an extract from OWASP. Insecure Ids Most web sites use some form of id, key, or index as a way to reference users, roles, content, objects, or functions. If an attacker can guess these ids, and the supplied values are not validated to ensure the are authorized for the current user, the attacker can exercise the access control scheme freely to see what they can access. Web applications should not rely on the secrecy of any ids for protection. ================================================= Can anyone please elaborate this part, "If an attacker can guess these ids, and the supplied values are not validated to ensure the are authorized for the current user, the attacker can exercise the access control scheme freely to see what they can access." I have never used such ids, indexes or keys when I developed authentication systems to reference users or roles. What kind of ids or keys are we talking about? How can an attacker use a guessed id? ------------------------------------------------------------------------- This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Insecure Ids - Need explanation susam_pal (Apr 17)
- RE: Insecure Ids - Need explanation Patrick (Apr 17)
- Re: Insecure Ids - Need explanation Andrew van der Stock (Apr 17)
- Re: Insecure Ids - Need explanation Reid Nichol (Apr 17)
- RE: Insecure Ids - Need explanation Rod Divilbiss (Apr 17)
- RE: Insecure Ids - Need explanation M. Burnett (Apr 17)
- Re: Insecure Ids - Need explanation Andrew van der Stock (Apr 17)
- RE: Insecure Ids - Need explanation Patrick (Apr 17)