- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
The API allows authenticated users to access sensitive data by exploiting the use of predictable identifiers. Attackers can leverage this by guessing valid identifiers and then exfiltrating sensitive data after they gain access to a valid user account.
Sensitive data is information that, if inadvertently disclosed, could have significant consequences for the data subject. Sensitive data can encompass a wide range of information, including:
Predictable identifiers pose a security vulnerability in web attacks because they allow attackers to guess or manipulate these identifiers to gain unauthorized access to or control over a resource. For example, if an endpoint is designed to answer to:
GET api/v1/user?id=1
GET api/v1/user?id=2
GET api/v1/user?id=3
An attacker can infer that user IDs are sequential, and can be brute-forced.
This finding works by identifying an API that:
JAVA example:
import java.util.UUID;
public class User {
private String userId;
public User() {
this.userId = UUID.randomUUID().toString();
}
}
Reference | Description |
---|---|
OWASP - Authorization Cheat Sheet | Authorization Cheat Sheet: guidance on the best practices to implement access controls. |