Numeric IDs

owasp-no-numeric-ids

Type:

Finding

Rule Severity:

High

An endpoint is using a numeric parameter for identifying resources.

Numeric identifiers are distinct numerical values linked to objects, resources, or records within a system. They serve the purpose of uniquely identifying and accessing particular items or data within a database or application, and they are typically organized sequentially.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Ensure endpoints do not use numeric parameters for identifying resources. Numeric parameters should not be used to identify objects or resources. Numeric patterns can be predicted and are as such at risk of enumeration exploits. UUIDs should be used wherever possible.

Example Attack Scenario

Information Leakage: Numeric IDs might inadvertently reveal information about the system or other users. For instance, if user IDs are sequential and start from 1, an attacker can infer the number of users registered on the platform by trying higher IDs until they receive a "user not found" response.

How to Identify with Example Scenario

paths:  
 '/root/{myObjectID}':         
  # abitrary path    
  parameters:      
   - schema:
   type: integer

How to Resolve with Example Scenario

paths:  
 '/root/{myObjectID}':         
  # abitrary path    
  parameters:      
   - schema:
    type: string
    format: uuid

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:
https://swagger.io/docs/specification/describing-parameters/

More findings

All Findings
Field suggestions
Unexpected GraphQL response
API Gateway stage missing WAF
Unconstrained additional properties
AWS ALB listeners should be configured with a strong security policy
Majority response status codes 3XX