Story #30: Remove Primary Keys from URLs - Tingg - Redmine

Actions

Copy link

Story #30

open

Epic #29: Insecure Direct Object Reference (IDOR) Prevention

Remove Primary Keys from URLs

Added by rashmita rout about 2 months ago. Updated about 2 months ago.

Status:

New

Priority:

High

Assignee:

Tingg BE

Target version:

Start date:

01/05/2026

Due date:

% Done:

Estimated time:

Acceptance Criteria:

1. No DB primary keys in URLs

2. Session-based identifiers used

3. Applies across all application pages

DOR:

Story Points:

Work Type:

Feature

User Impact:

Technical Area:

Release Narrative:

Planned Sprint:

Completed In Sprint:

Spillover Reason:

Deployment Reference URL:

Description

Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.As a system, I want to avoid exposing internal object identifiers in URLs to prevent enumeration attacks.

By exposing the primary key (123) directly in the URL, anyone who sees or obtains this URL gains insight into the application's database structure. This information leakage can be exploited by attackers to gather intelligence about the system and potentially target specific user accounts or data. Attackers can perform enumeration attacks by manipulating the primary key values in URLs.

Actions

Copy link

Updated by rashmita rout about 2 months ago

Assignee set to Tingg BE

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Tingg

Custom queries

Story #30

Remove Primary Keys from URLs

Updated by rashmita rout about 2 months ago