I recently ran into an interesting discrepancy:

What you see below are 120-bit Session IDs, one printed as hex and one in the format of a #UUIDv4.

After validating their randomness, I would classify the first as secure but raise concerns about the second.

Why?

Well, according to RFC 4122:

"Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example."

And that's exactly what a session ID is: an identifier whose possession grants access. As such, UUIDs should not be used in such a case.

What do you think? Is this nitpicking? Or a valid security nuance?

Does the format in which data is displayed have an impact on its security?

I'd love to hear your thoughts.

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking

Идентификаторы в БД: INT vs UUID

Привет! Меня зовут Женя, я бэкенд-разработчик, и в этом посте хотела бы кратко обсудить плюсы и минусы разных вариантов идентификаторов в базе данных.

https://habr.com/ru/articles/864188/

#идентификатор #id #uuid #uuidv4 #uuidv7

#Proxmox just generates a #UUIDv4 like
3b7d2d2c-3732-41db-a678-8bc4aeaf9155 as a secret for auth tokens? 😱
This looks a lot like a bad security practice to me, especially when RFC4122 says:

"Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation."

#ITSecurity