Enumeration Attacks
Discover patterns of malicious enumeration in API traffic and take action by rate limiting, blocking, or sending a deceptive response.
Enumeration Attacks use automation to rapidly iterate through numeric or alpha-numeric sequences used as identifiers for public-facing applications with the end goal of discovering legitimate web conferencing meeting, valid gift card numbers or an in-transit shipment.
Automation allows a bad actor to launch enumeration attacks directly against the application APIs as shown in the Prying-Eye vulnerability where a bot cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality is followed, then the bad actor would be able to view or listen to an active meeting.
Targeting the web conferencing application APIs directly, this attack (1) uses a bot to enumerate and discover the numeric, or alphanumeric identifiers that (2) perform the attendee access control function. If the application is not protected by a password or other authentication mechanism, (3) the bad actor can surreptitiously gain access to the web meeting.
Enumeration Attacks are often used by bad actors to validate and use gift cards before the real owners are able to do so. Bad actors can easily determine the numeric sequence by viewing the cards on display in retail stores. Armed with the numeric pattern, a bot can be programmed to validate the card numbers. In some scenarios, a bank validation is required prior to use, and if successful, they can then be used immediately to make valid purchases.
Bad actors are able to rapidly iterate through sequences to crack alpha numeric strings like gift cards. You need to respond just as fast to detect and mitigate the attack before they’re able to profit.
CQAI and Bot Defense automatically discover your API and web-based applications to build an intuitive site map for visibility and policy-based protection. JavaScript and mobile SDK-based solutions rely on device-only telemetry which slows application development, solution deployment and page load times.
Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each application request. The REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.
Customizable mitigation policies provide multiple response options including block, rate limit, geo fence, or deception. Using deception allows you to send a custom response to the attacker, effectively putting guardrails around their activities.
As new public-facing applications that use numeric identifiers are deployed, they are automatically discovered and protected from enumeration attacks by Bot Defense, effectively baking security into your application deployment workflow.
Agentless approach allows you to deploy consistent visibility and policy protection from enumeration attacks for your API and web-based applications.
A container-based software architecture allows Bot Defense to be deployed in your data center, the cloud or as a SaaS offering, so you to choose the architecture that best fits your needs.
CQAI and Bot Defense automatically discover all your web and API-based endpoints saving you incident response time while minimizing harm to your users and business.
Customizable automation indicators and responses enable you to fine tune and maximize attack pre-vention policies to eliminate fraud associated with enumeration attacks.
With REST APIs and an open architecture, you can ensure information is shared between third party sites and other IT infrastructure like SIEMs and SOC systems.
Every day, Cequence Security analyzes and protects billions of application transactions for customers in the financial services, retail, and social media industries.
Browse our library of datasheets, research reports, blogs, and archived webinars to learn more about our Application Security Platform.
Start preventing enumeration attacks and other API business logic abuse now.