Numeric IDs

owasp:api1:2019-no-numeric-ids

Rule Severity:

High

Ensure endpoints do not use numeric parameters for identifying resources.
This rule applies at the API Specification level (OAS/Swagger).
Numeric parameters should not be used to identify objects or resources. Numeric patterns can be predicted and are as such at risk of enumeration exploits. UUIDs should be used wherever possible.
Numeric identifiers are distinct numerical values linked to objects, resources, or records within a system. They serve the purpose of uniquely identifying and accessing particular items or data within a database or application, and they are typically organized sequentially.

Example Attack Scenario

Information Leakage: Numeric IDs might inadvertently reveal information about the system or other users. For instance, if user IDs are sequential and start from 1, an attacker can infer the number of users registered on the platform by trying higher IDs until they receive a "user not found" response.

1. How to Identify with Example Scenario

paths:  
 '/root/{myObjectID}':         
  # abitrary path    
  parameters:      
   - schema:
   type: integer

1. How to Resolve with Example Scenario

paths:  
 '/root/{myObjectID}':         
  # abitrary path    
  parameters:      
   - schema:
    type: string
    format: uuid

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:
https://swagger.io/docs/specification/describing-parameters/

More findings

All Findings