Enhance Security and Reduce Scraping Risks by Refactoring Object Identifiers Enhance Security and Reduce Scraping Risks by Refactoring Object Identifiers TL;DR: Replace sequential IDs in your models with UUIDs to prevent IDOR vulnerabilities and discourage scraping. TL;DR: Replace sequential IDs in your models with UUIDs to prevent IDOR vulnerabilities and discourage scraping. Problems Addressed 😔 IDOR Vulnerability
Predictable URLs
Data and Screen Scraping Risk
Tight Coupling to accidental Database Identifiers
Exposure of Internal Structure IDOR Vulnerability IDOR Vulnerability Predictable URLs Data and Screen Scraping Risk Screen Scraping Tight Coupling to accidental Database Identifiers Exposure of Internal Structure Related Code Smells 💨 https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xxiv https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xxiv https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xxxii https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xxxii https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-i-xqz3evd https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xxix https://hackernoon.com/how-to-find-the-stinky-parts-of-your-code-part-xxix Steps 👣 Identify all public uses of sequential IDs in APIs, URLs, or UI elements
Generate UUIDs for each record during data migration or creation
Replace exposed sequential IDs with UUIDs in external-facing interfaces
Map UUIDs internally to the original IDs using a private lookup table or service
Ensure UUIDs are used consistently across services and databases Identify all public uses of sequential IDs in APIs, URLs, or UI elements Generate UUIDs for each record during data migration or creation Replace exposed sequential IDs with UUIDs in external-facing interfaces Map UUIDs internally to the original IDs using a private lookup table or service Ensure UUIDs are used consistently across services and databases Sample Code 💻 Before 🚨 <?php

class Invoice {
    public int $id;
    // The external identifier is never an essential
    // responsibilty for an object
  
    public string $customerName;
    public array $items;

    public function __construct(
      int $id, string $customerName, array $items) {
        $this->id = $id;
        $this->customerName = $customerName;
        $this->items = $items;
    }
} <?php

class Invoice {
    public int $id;
    // The external identifier is never an essential
    // responsibilty for an object
  
    public string $customerName;
    public array $items;

    public function __construct(
      int $id, string $customerName, array $items) {
        $this->id = $id;
        $this->customerName = $customerName;
        $this->items = $items;
    }
} After 👉 <?php

class Invoice {
    // 1. Identify all public uses of sequential IDs
    // in APIs, URLs, or UI elements   
   
    private string $customerName;
    private array $items;

    public function __construct(
      string $customerName, array $items) {
        $this->customerName = $customerName;
        $this->items = $items;
    }
}

// 2. Generate UUIDs
// for each record during data migration or creation    
// 3. Replace exposed sequential IDs 
// with UUIDs in external-facing interfaces    

// 4. Map UUIDs internally to the original IDs 
// using a private lookup table or service    
$uuid = generate_uuid();

// 5. Ensure UUIDs are used 
// consistently across services and databases
$invoices[$uuid] =new Invoice(
    customerName: 'Roger Penrose',
    items: [
        new InvoiceItem(description: 'Laptop', price: 1200),
        new InvoiceItem(description: 'Black Hole', price: 50)
    ]
);

// Step 4: Keep the map internal
// Step 5: Share only UUID with the client <?php

class Invoice {
    // 1. Identify all public uses of sequential IDs
    // in APIs, URLs, or UI elements   
   
    private string $customerName;
    private array $items;

    public function __construct(
      string $customerName, array $items) {
        $this->customerName = $customerName;
        $this->items = $items;
    }
}

// 2. Generate UUIDs
// for each record during data migration or creation    
// 3. Replace exposed sequential IDs 
// with UUIDs in external-facing interfaces    

// 4. Map UUIDs internally to the original IDs 
// using a private lookup table or service    
$uuid = generate_uuid();

// 5. Ensure UUIDs are used 
// consistently across services and databases
$invoices[$uuid] =new Invoice(
    customerName: 'Roger Penrose',
    items: [
        new InvoiceItem(description: 'Laptop', price: 1200),
        new InvoiceItem(description: 'Black Hole', price: 50)
    ]
);

// Step 4: Keep the map internal
// Step 5: Share only UUID with the client Type 📝 Semi-Automatic Semi-Automatic Safety 🛡️ This refactoring is safe if done incrementally with proper tests and backward compatibility during transition. You should kee dual access (UUID and ID) temporarily to allow phased updates. Why is the Code Better? ✨ The refactoring prevents IDOR attacks by removing predictable identifiers. You remove predictable IDs from public access It reduces the risk of automated scraping due to non-sequential keys. This technique also improves encapsulation by keeping internal IDs private and encourages cleaner API design through explicit mapping. This technique is especially useful in RESTful APIs, web applications, and microservices where object identifiers are exposed publicly. You can enable a rate control limit for failed 404 resources when your attacker tries to guess the IDs. How Does it Improve the Bijection? 🗺️ When you model your identifiers with real-world concepts rather than database rows, you avoid exposing accidental implementation details. real-world This keeps the bijection closer to the business entity and avoids leaking technical structure. bijection The real-world invoice on the example doesn't expose an internal ID. Instead, it's referred to through business terms or opaque references. This refactoring removes the accidental part and restores the essential essence of the invoice. You control the pointers. The pointer doesn't control you. Limitations ⚠️ This refactoring requires you to update all client-facing integrations. Some systems might still assume access to numeric IDs. You must preserve internal IDs for persistence, audits, or legacy support. Refactor with AI 🤖 Suggested Prompt: 1. Identify all public uses of sequential IDs in APIs, URLs, or UI elements  2. Generate UUIDs for each record during data migration or creation 3. Replace exposed sequential IDs with UUIDs in external-facing interfaces  4. Map UUIDs internally to the original IDs using a private lookup table or service 5. Ensure UUIDs are used consistently across services and databases Suggested Prompt: 1. Identify all public uses of sequential IDs in APIs, URLs, or UI elements  2. Generate UUIDs for each record during data migration or creation 3. Replace exposed sequential IDs with UUIDs in external-facing interfaces  4. Map UUIDs internally to the original IDs using a private lookup table or service 5. Ensure UUIDs are used consistently across services and databases Without Proper Instructions

With Specific Instructions



ChatGPT

ChatGPT



Claude

Claude



Perplexity

Perplexity



Copilot

Copilot



Gemini

Gemini



DeepSeek

DeepSeek



Meta AI

Meta AI



Grok

Grok



Qwen

Qwen Without Proper Instructions

With Specific Instructions



ChatGPT

ChatGPT



Claude

Claude



Perplexity

Perplexity



Copilot

Copilot



Gemini

Gemini



DeepSeek

DeepSeek



Meta AI

Meta AI



Grok

Grok



Qwen

Qwen Without Proper Instructions

With Specific Instructions Without Proper Instructions Without Proper Instructions With Specific Instructions With Specific Instructions ChatGPT

ChatGPT ChatGPT ChatGPT ChatGPT ChatGPT ChatGPT ChatGPT Claude

Claude Claude Claude Claude Claude Claude Claude Perplexity

Perplexity Perplexity Perplexity Perplexity Perplexity Perplexity Perplexity Copilot

Copilot Copilot Copilot Copilot Copilot Copilot Copilot Gemini

Gemini Gemini Gemini Gemini Gemini Gemini Gemini DeepSeek

DeepSeek DeepSeek DeepSeek DeepSeek DeepSeek DeepSeek DeepSeek Meta AI

Meta AI Meta AI Meta AI Meta AI Meta AI Meta AI Meta AI Grok

Grok Grok Grok Grok Grok Grok Grok Qwen

Qwen Qwen Qwen Qwen Qwen Qwen Qwen Tags 🏷️ Security Security Level 🔋 Intermediate Intermediate Related Refactorings 🔄 https://hackernoon.com/refactoring-remove-setters-codesmell?embedable=true https://hackernoon.com/refactoring-remove-setters-codesmell?embedable=true https://hackernoon.com/refactoring-027-how-to-remove-getters?embedable=true https://hackernoon.com/refactoring-027-how-to-remove-getters?embedable=true https://maximilianocontieri.com/refactoring-009-protect-public-attributes?embedable=true https://maximilianocontieri.com/refactoring-009-protect-public-attributes?embedable=true https://hackernoon.com/refactoring-016-building-with-the-essence?embedable=true https://hackernoon.com/refactoring-016-building-with-the-essence?embedable=true See also 📚 https://en.wikipedia.org/wiki/Insecure_direct_object_reference?embedable=true https://en.wikipedia.org/wiki/Insecure_direct_object_reference?embedable=true Credits 🙏 Image by Kris on Pixabay Kris Pixabay This article is part of the Refactoring Series. https://maximilianocontieri.com/how-to-improve-your-code-with-easy-refactorings?embedable=true https://maximilianocontieri.com/how-to-improve-your-code-with-easy-refactorings?embedable=true

Don't Mix Data Access Concerns With Essential Business Behavior

Code Smell 300 - Package Hallucination

Buy My Book

Share your ideas with me!

Read My Stories

Buy Me a Coffee

Too Long; Didn't Read

Make resilience your competitive advantage

Replace Sequential IDs in Your Models With UUIDs to Prevent IDOR Vulnerabilities or Scraping

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Code Smell 309 - Query Parameter API Versioning

What Are Large Language Models Capable Of: The Vulnerability of LLMs to Adversarial Attacks

The Day a Tiny Robot Convinced 12 Bots to Quit Their Jobs: A Black Mirror Reality Unfolds in Shanghai

Microsoft Researchers Identify 8 Core Security Lessons for AI

The Prompt Protocol: Why Tomorrow's Security Nightmares Will Be Whispered, Not Coded

Code Smell 309 - Query Parameter API Versioning

What Are Large Language Models Capable Of: The Vulnerability of LLMs to Adversarial Attacks

The Day a Tiny Robot Convinced 12 Bots to Quit Their Jobs: A Black Mirror Reality Unfolds in Shanghai

Microsoft Researchers Identify 8 Core Security Lessons for AI

The Prompt Protocol: Why Tomorrow's Security Nightmares Will Be Whispered, Not Coded

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps