To prevent using sequential numbers for data referencing, as seen in the IDOR example where document IDs ranged from 1000 to 1002, applications should avoid “Magic Numbers” that directly point to resources and can be easily enumerated by attackers. For instance, an attacker could iterate through document IDs from 0 to 10000 and gain unauthorized access to data.
While proper authorization is essential, using GUIDs (Globally Unique Identifiers) or UUIDs (Universally Unique Identifiers) can also help. These identifiers are globally unique and difficult to enumerate due to the randomness in their generation.
Here’s an example of a GUID:
Note: Analyzing the mathematics behind guessing the GUID above reveals that it is challenging to enumerate. Enumeration involves systematically exploring all possible values, and using a GUID or UUID effectively prevents this approach. |