What is an enumeration attack?
An enumeration attack uses automation to discover numeric or alpha-numeric sequences used as identifiers for public-facing applications. An example would be using automation to discover web conferencing ID numbers, as shown in the Prying-Eye vulnerability.
How do enumeration attacks work?
This attack involves the use of a bot to enumerate (and discover) numeric, or alphanumeric identifiers that act as access control mechanisms for public-facing applications. If the application is not protected by a password or other authentication mechanism, the bad actor can gain access to the information within the application.
The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs and the associated moderator or host if a password has not been assigned. In the case of the Prying-Eye vulnerability, the common user practice of not assigning a password allows the bad actor to view or listen to an active meeting. If a user has chosen the option of configuring a personal meeting ID to simplify without requiring a password, a bad actor can store that information for future snooping activity.
Enumeration attack goals and organizational impact include:
The goal of this attack will depend on the asset that is behind the numeric identifier. A few examples include:
- Snooping and unauthorized access: Bad actors can snoop, as shown in the Prying-Eye vulnerability, can gain unauthorized access to information by listening in on meetings that have no passwords. The impact is a loss of privacy and associated intellectual property.
- Disruptive: Enumeration attacks could also be used as an application DDoS attack, continually cycling requests to render the application unusable. The result is an increase in infrastructure cost and an IT team distraction to address the need for added capacity.
- Theft: If an asset of value is linked to a numeric ID without a password, then that asset could be targeted by an attack resulting in financial losses, customer dissatisfaction and potential damage to the brand.
What type of applications and industries are targeted by UID enumeration attacks?
Any organization that uses a numeric, or alpha numeric identifier sequence in their public facing applications, behind which there is an asset of value is subject to an attack.
Preventing enumeration attacks with Cequence Security
The Cequence Application Security Platform prevents enumeration attack attacks using CQAI, a patented machine-learning analytics engine that analyzes the web, mobile and API-based application requests to determine the intent based on many factors including the behavior of the user (e.g., speed of form fills, mouse movement and keystrokes, time of day, location, etc.). Using these data points, you can creatively mitigate the attack through blocking, rate limiting, geofencing, or deception.