0

My question is about the use of GUID's.

Consider this example:

http://www.example.com/item.aspx?itemid=1
http://www.example.com/item.aspx?itemid=2
http://www.example.com/item.aspx?itemid=3

Using this design it's easy for someone to use a scraper to iterate through all the int itemid's and collect the data.

If we instead did this:

http://www.example.com/item.aspx?itemid=ab3f103a-a1cf-e311-9380-12d0d8a96a66
http://www.example.com/item.aspx?itemid=ab3f003a-a1cf-e311-9380-1240d8a96a66
http://www.example.com/item.aspx?itemid=ab3f003a-a1cf-e311-9380-12d0d8a56a66

Would that be any more secure from scrapers?

I guess the question is if a guid is sufficiently complex to make bruteforce iteration not worth it?

Thanks

Ben Durkin
  • 429
  • 1
  • 6
  • 20
  • Depends on how you generate these GUIDs. They're long, so they *look* harder to predict, but some of the underlying algorithms are actually quite easy to trace -- if an attacker knows the MAC address of the machine and the time when a specific GUID was generated, he can try to predict the next generated GUIDs (if they were generated sequentially). – Frédéric Hamidi Mar 12 '15 at 10:22
  • 1
    See duplicate, do more research. _"GUIDs are guaranteed to be unique and that's about it. Not guaranteed to be be random or difficult to guess."_ – CodeCaster Mar 12 '15 at 10:22
  • 1
    This look like a good example of [Security by Obscurity](http://en.wikipedia.org/wiki/Security_through_obscurity) to me. What perceived security risk are you trying to mitigate? – Richard Ev Mar 12 '15 at 10:22
  • That hammer is not the best thing to use on that screw. If you want something that is hard to predict, use something that is designed to be hard to predict, like a secure hash. (One possible thing to hash would be the id concatenated with a secret, then if redoing that doesn't produce the same hash, it's not a URI you should consider as matching anything, so you 404). – Jon Hanna Mar 12 '15 at 10:26

0 Answers0