Findings
Numeric ID
Updated: June 19, 2025
Description
An endpoint is using a numeric parameter for identifying resources.
Numeric identifiers are distinct numerical values linked to objects, resources, or records within a system. They serve the purpose of uniquely identifying and accessing particular items or data within a database or application, and they are typically organized sequentially.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Information Leakage: Numeric IDs might inadvertently reveal information about the system or other users. For instance, if user IDs are sequential and start from 1, an attacker can infer the number of users registered on the platform by trying higher IDs until they receive a "user not found" response.
Remediation
Ensure endpoints do not use numeric parameters for identifying resources. Numeric parameters should not be used to identify objects or resources. Numeric patterns can be predicted and are as such at risk of enumeration exploits. UUIDs should be used wherever possible.
Security Frameworks
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.