ํ”ผ๋“œ๋กœ ๋Œ์•„๊ฐ€๊ธฐ
Stop BOLA Attacks: Securing Laravel APIs with ULIDs ๐Ÿ›ก๏ธ
Dev.toDev.to
Security

ULID ๋„์ž…์„ ํ†ตํ•œ BOLA ๊ณต๊ฒฉ ์ฐจ๋‹จ ๋ฐ B-Tree ์ธ๋ฑ์Šค ์„ฑ๋Šฅ ์ตœ์ ํ™”

Stop BOLA Attacks: Securing Laravel APIs with ULIDs ๐Ÿ›ก๏ธ

Prajapati Paresh2026๋…„ 6์›” 29์ผ3๋ถ„intermediate

Context

Auto-incrementing Integer PK ์‚ฌ์šฉ ์‹œ ๋ฐœ์ƒํ•˜๋Š” ์ˆœ์ฐจ์  ID ์˜ˆ์ธก ๊ฐ€๋Šฅ์„ฑ์œผ๋กœ ์ธํ•œ BOLA ์ทจ์•ฝ์  ๋…ธ์ถœ. ๋ฌด์ž‘์œ„ UUIDv4 ๋„์ž… ์‹œ B-Tree ์ธ๋ฑ์Šค์˜ ๋ฌด์ž‘์œ„ ์‚ฝ์ž…์œผ๋กœ ์ธํ•œ Disk Fragmentation ๋ฐ Write-amplification ์„ฑ๋Šฅ ์ €ํ•˜ ๋ฐœ์ƒ.

Technical Solution

  • ์˜ˆ์ธก ๋ถˆ๊ฐ€๋Šฅํ•œ Identifier ํ™•๋ณด๋ฅผ ํ†ตํ•œ BOLA ๋ฐ Data Scraping ์›์ฒœ ์ฐจ๋‹จ
  • Timestamp ๊ธฐ๋ฐ˜ ์ •๋ ฌ์ด ๊ฐ€๋Šฅํ•œ ULID(Universally Unique Lexicographically Sortable Identifier) ์ฑ„ํƒ
  • 26์ž ๋ฌธ์ž์—ด ์ค‘ ์•ž 10์ž๋ฅผ ๊ณ ์ •๋ฐ€ Timestamp๋กœ ๊ตฌ์„ฑํ•˜์—ฌ Chronological Order ์œ ์ง€
  • ๋‚˜๋จธ์ง€ 16์ž์˜ Cryptographic Randomness๋ฅผ ํ†ตํ•œ ID ์ถ”์ธก ๊ฐ€๋Šฅ์„ฑ ์ œ๊ฑฐ
  • Laravel์˜ HasUlids Trait๋ฅผ ํ™œ์šฉํ•œ Model Layer ์ž๋™ ์ƒ์„ฑ ๋กœ์ง ๊ตฌํ˜„
  • Time-sortable ํŠน์„ฑ์„ ์ด์šฉํ•ด created_at ์ปฌ๋Ÿผ ์—†์ด ID ๊ธฐ๋ฐ˜์˜ ๊ณ ์† ์ •๋ ฌ ์ฟผ๋ฆฌ ์ˆ˜ํ–‰

- Public-facing API ์„ค๊ณ„ ์‹œ ์™ธ๋ถ€ ๋…ธ์ถœ PK์— ์ˆœ์ฐจ์  ์ •์ˆ˜ ID ์‚ฌ์šฉ ๊ธˆ์ง€ - ๋ฌด์ž‘์œ„์„ฑ๊ณผ ์ •๋ ฌ ์„ฑ๋Šฅ์˜ Trade-off ๋ถ„์„ ํ›„ UUIDv4 ๋Œ€์‹  ULID ๋˜๋Š” UUIDv7 ๊ฒ€ํ†  - Database Index์˜ ๋ฌผ๋ฆฌ์  ์ €์žฅ ๊ตฌ์กฐ(B-Tree)๋ฅผ ๊ณ ๋ คํ•œ PK ๋ฐ์ดํ„ฐ ํƒ€์ž… ์„ ์ • - API Authorization Middleware์˜ ๊ฒฐํ•จ์„ ๋ณด์™„ํ•˜๋Š” Defense in Depth ์ „๋žต์œผ๋กœ Unguessable ID ์ ์šฉ

์›๋ฌธ ์ฝ๊ธฐ