Prevent Enumeration Attacks

Enumeration Attacks use automation to rapidly iterate through numeric or alpha-numeric sequences used as identifiers for public-facing applications with the end goal of discovering legitimate web conferencing meeting, valid gift card numbers or an in-transit shipment.

Enumeration and Snooping Attack

Automation allows a bad actor to launch enumeration attacks directly against the application APIs as shown in the Prying-Eye vulnerability where a bot cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality is followed, then the bad actor would be able to view or listen to an active meeting.
Targeting the web conferencing application APIs directly, this attack (1) uses a bot to enumerate and discover the numeric, or alphanumeric identifiers that (2) perform the attendee access control function. If the application is not protected by a password or other authentication mechanism, (3) the bad actor can surreptitiously gain access to the web meeting.

Enumeration and Snooping Attack

Gift Card/Check Enumeration

Enumeration Attacks are often used by bad actors to validate and use gift cards before the real owners are able to do so. Bad actors can easily determine the numeric sequence by viewing the cards on display in retail stores. Armed with the numeric pattern, a bot can be programmed to validate the card numbers. In some scenarios, a bank validation is required prior to use, and if successful, they can then be used immediately to make valid purchases.

Gift Card/Check Enumeration

Enumeration Attack Prevention Features

Bad actors are able to rapidly iterate through sequences to crack alpha numeric strings like gift cards. You need to respond just as fast to detect and mitigate the attack before they’re able to profit.

Automatically Discover Enumeration Patterns

CQAI and Bot Defense automatically discover your API and web-based applications to build an intuitive site map for visibility and policy-based protection. JavaScript and mobile SDK-based solutions rely on device-only telemetry which slows application development, solution deployment and page load times.

Open, Extensible and Customizable Platform

Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each application request. The REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.

More Response Options Available for Mitigation

Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Using deception allows you to send a custom response to the attacker, effectively putting guardrails around their activities.

New Apps Protected Automatically, Delays Eliminated

As new public-facing applications that use numeric identifiers are deployed, they are automatically discovered and protected from enumeration attacks by Bot Defense, effectively baking security into your application deployment workflow.

Consistent Protections for Web Apps and APIs

Agentless approach allows you to deploy consistent visibility and policy protection from enumeration attacks for your API and web-based applications.

Container-Based Architecture for Greater Flexibility

A container-based software architecture allows Bot Defense to be deployed in your data center, the cloud or as a SaaS offering, so you to choose the architecture that best fits your needs.

Bot Defense Enumeration Attack Prevention Benefits

Check Mark

Identify Enumeration Attacks In Real-Time

CQAI and Bot Defense automatically discover all your web and API-based endpoints saving you incident response time while minimizing harm to your users and business.

Check Mark

Enhance Security Effectiveness

Customizable automation indicators and responses enable you to fine tune and maximize attack pre-vention policies to eliminate fraud associated with enumeration attacks.

Check Mark

Tight Integration Into Your Security Ecosystem

With REST APIs and an open architecture, you can ensure information is shared between third party sites and other IT infrastructure like SIEMs and SOC systems.

Our Customers

Every day, Cequence Security analyzes and protects billions of application transactions for customers in the financial services, retail, and social media industries.

American Express
Narvar logo
houzz logo
MX logo
Zuliliy logo


Browse our library of datasheets, research reports, blogs, and archived webinars to learn more about our Application Security Platform.

Research Reports
Bulletproof Proxies: The Evolving Cybercriminal Infrastructure

This report maps attack patterns observed within the Cequence Security customer base to one of the leading Bulletproof Proxy providers.

View Report
Preventing Fraud Caused by Account Takeovers

Organizations are plagued by automated attacks such as account takeovers and fake account creation. Learn how these attacks work, how the attackers hide in plain sight, and innovative strategies for catching malicious bots.

View Now
Case Studies
Zoosk: Preventing ATOs and Romance Fraud

Discover how Zoosk eliminated romance fraud by preventing ATOs targeting the mobile APIs.

Read More

Bot Defense SaaS Free Trial

Start preventing enumeration attacks and other API business logic abuse now.

Bot Defense SaaS