Sequential IDs Attack
Description
A RESTful API vulnerable to Sequential IDs Attack exposes sensitive data or resources due to predictable resource identifiers. Attackers can exploit this vulnerability by iterating through sequential IDs to access unauthorized information or perform unauthorized actions on resources. To mitigate, implement randomized or hashed identifiers for resources, enforce proper authentication and authorization mechanisms, and monitor API access for suspicious activities.
Remediation
Use non-sequential (randomized or UUID-based) identifiers to prevent attackers from enumerating resources. Ensure strict authentication and authorization checks are enforced before granting access to any resource. Regularly review server logs and analytics to identify unusual access patterns, such as rapid iteration over IDs. Employ a Web Application Firewall (WAF) or intrusion detection system to detect suspicious requests targeting potentially predictable endpoints. Additionally, consider implementing rate-limiting to slow down brute-force enumeration attempts, and perform periodic security assessments to validate that no endpoints inadvertently expose sequential or guessable IDs.
References
https://owasp.org/Top10/A01_2021-Broken_Access_Control/https://cwe.mitre.org/data/definitions/22.htmlSeverity
HIGHOwasp
Code: A03:2021
Category: Injection
Classification
8.2
8.2