api security

Detecting API Enumeration Attacks

Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier access patterns and authorization failures.

access-controlapi-securitybolabroken-object-level-authorizationenumerationidorowasp-api-top-10rate-limiting
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

API enumeration attacks occur when attackers systematically probe API endpoints with sequential or predictable identifiers to discover and access unauthorized resources. Broken Object Level Authorization (BOLA), ranked as API1:2023 in the OWASP API Security Top 10, is the most critical API vulnerability. Attackers manipulate object identifiers (user IDs, order numbers, account references) in API requests to bypass authorization and access other users' data. Detection requires monitoring for patterns of rapid sequential access attempts, authorization failures, and abnormal API usage behavior.

When to Use

  • When investigating security incidents that require detecting api enumeration attacks
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • API gateway or reverse proxy with logging enabled (Kong, AWS API Gateway, Apigee)
  • SIEM platform (Splunk, Elastic SIEM, or Microsoft Sentinel)
  • Access to API server logs with request details
  • Web Application Firewall (WAF) with API protection capabilities
  • Understanding of the API's authorization model and object identifier schemes

Attack Patterns to Detect

1. Sequential ID Enumeration

Attackers iterate through numeric or predictable identifiers:

GET /api/v1/users/1001 -> 200 OK
GET /api/v1/users/1002 -> 200 OK
GET /api/v1/users/1003 -> 403 Forbidden
GET /api/v1/users/1004 -> 200 OK
GET /api/v1/users/1005 -> 200 OK
...

Detection Indicators:

  • Rapid sequential requests to the same endpoint with incrementing IDs
  • Mix of 200/403/401 responses from same source
  • Request rate exceeding normal user behavior
  • Access to resources outside authenticated user's scope

2. UUID/GUID Enumeration

Even non-sequential identifiers can be enumerated if leaked through other endpoints:

# Attacker first harvests UUIDs from a list endpoint
GET /api/v1/posts?page=1  -> Returns post objects with author UUIDs
 
# Then uses those UUIDs to access restricted user data
GET /api/v1/users/a3f2c1e4-... -> Private user profile
GET /api/v1/users/b7d9e8f1-... -> Private user profile

3. Parameter Tampering Enumeration

# Authenticated as user_id=100, attempting to access other users' orders
GET /api/v1/orders?user_id=101
GET /api/v1/orders?user_id=102
GET /api/v1/orders?user_id=103

Detection Rules

Splunk Detection Queries

# Detect sequential ID enumeration on API endpoints
index=api_logs sourcetype=api_access
| rex field=uri_path "(?<endpoint>/api/v\d+/\w+/)(?<object_id>\d+)"
| stats count as request_count,
        dc(object_id) as unique_ids,
        values(status_code) as status_codes,
        min(_time) as first_seen,
        max(_time) as last_seen
  by src_ip, endpoint, user_session
| eval time_span = last_seen - first_seen
| eval requests_per_second = request_count / max(time_span, 1)
| where unique_ids > 20 AND requests_per_second > 2
| eval severity = case(
    unique_ids > 100, "critical",
    unique_ids > 50, "high",
    unique_ids > 20, "medium",
    1==1, "low"
  )
| sort - unique_ids
| table src_ip, endpoint, unique_ids, request_count, requests_per_second,
        status_codes, severity
 
# Detect BOLA via authorization failure patterns
index=api_logs sourcetype=api_access status_code IN (401, 403)
| bin _time span=5m
| stats count as failure_count,
        dc(uri_path) as unique_paths,
        values(uri_path) as attempted_paths
  by _time, src_ip, user_id
| where failure_count > 10
| eval attack_type = if(unique_paths > 5, "enumeration", "brute_force")

Elastic SIEM Detection Rules

{
  "rule": {
    "name": "API Object Enumeration Detection",
    "description": "Detects rapid sequential access to API objects with mixed authorization results",
    "type": "threshold",
    "index": ["api-access-*"],
    "query": {
      "bool": {
        "must": [
          { "regexp": { "url.path": "/api/v[0-9]+/[a-z]+/[0-9]+" } }
        ],
        "should": [
          { "term": { "http.response.status_code": 200 } },
          { "term": { "http.response.status_code": 403 } },
          { "term": { "http.response.status_code": 401 } }
        ]
      }
    },
    "threshold": {
      "field": ["source.ip"],
      "value": 50,
      "cardinality": [
        { "field": "url.path", "value": 20 }
      ]
    },
    "schedule": { "interval": "5m" },
    "severity": "high",
    "risk_score": 73,
    "tags": ["OWASP-API1", "BOLA", "Enumeration"]
  }
}

Custom Detection Script

#!/usr/bin/env python3
"""API Enumeration Attack Detector
 
Analyzes API access logs to detect enumeration patterns
including BOLA, IDOR, and sequential ID probing.
"""
 
import re
import sys
import json
from collections import defaultdict
from datetime import datetime, timedelta
from dataclasses import dataclass, field
from typing import List, Dict, Optional
 
@dataclass
class AccessRecord:
    timestamp: datetime
    source_ip: str
    user_id: Optional[str]
    method: str
    path: str
    status_code: int
    object_id: Optional[str] = None
 
@dataclass
class EnumerationAlert:
    source_ip: str
    user_id: Optional[str]
    endpoint_pattern: str
    unique_object_ids: int
    total_requests: int
    time_window_seconds: float
    requests_per_second: float
    auth_failure_ratio: float
    severity: str
    attack_type: str
    sample_ids: List[str] = field(default_factory=list)
 
class EnumerationDetector:
    # Regex patterns for extracting object IDs from API paths
    ID_PATTERNS = [
        re.compile(r'/api/v\d+/(\w+)/(\d+)'),           # Numeric IDs
        re.compile(r'/api/v\d+/(\w+)/([a-f0-9\-]{36})'), # UUIDs
        re.compile(r'/api/v\d+/(\w+)/([a-zA-Z0-9]{20,})'), # Long alphanumeric IDs
    ]
 
    def __init__(self, time_window_minutes: int = 5,
                 min_unique_ids: int = 15,
                 max_requests_per_second: float = 5.0):
        self.time_window = timedelta(minutes=time_window_minutes)
        self.min_unique_ids = min_unique_ids
        self.max_rps = max_requests_per_second
        self.access_log: List[AccessRecord] = []
 
    def parse_log_line(self, line: str) -> Optional[AccessRecord]:
        """Parse a common log format line into an AccessRecord."""
        log_pattern = re.compile(
            r'(?P<ip>[\d.]+)\s+\S+\s+(?P<user>\S+)\s+'
            r'\[(?P<time>[^\]]+)\]\s+'
            r'"(?P<method>\w+)\s+(?P<path>\S+)\s+\S+"\s+'
            r'(?P<status>\d+)'
        )
        match = log_pattern.match(line)
        if not match:
            return None
 
        path = match.group('path')
        object_id = None
        for pattern in self.ID_PATTERNS:
            id_match = pattern.search(path)
            if id_match:
                object_id = id_match.group(2)
                break
 
        return AccessRecord(
            timestamp=datetime.strptime(match.group('time'), '%d/%b/%Y:%H:%M:%S %z'),
            source_ip=match.group('ip'),
            user_id=match.group('user') if match.group('user') != '-' else None,
            method=match.group('method'),
            path=path,
            status_code=int(match.group('status')),
            object_id=object_id
        )
 
    def analyze(self, records: List[AccessRecord]) -> List[EnumerationAlert]:
        """Analyze access records for enumeration patterns."""
        alerts = []
 
        # Group by source IP and endpoint pattern
        grouped = defaultdict(list)
        for record in records:
            if record.object_id:
                # Normalize endpoint by removing the specific object ID
                endpoint = re.sub(r'/[a-f0-9\-]{36}', '/{id}',
                         re.sub(r'/\d+', '/{id}', record.path))
                key = (record.source_ip, record.user_id, endpoint)
                grouped[key].append(record)
 
        for (src_ip, user_id, endpoint), records_group in grouped.items():
            if len(records_group) < self.min_unique_ids:
                continue
 
            # Sort by timestamp
            records_group.sort(key=lambda r: r.timestamp)
 
            # Analyze time windows
            window_start = 0
            for window_start in range(len(records_group)):
                window_records = []
                for r in records_group[window_start:]:
                    if r.timestamp - records_group[window_start].timestamp <= self.time_window:
                        window_records.append(r)
 
                unique_ids = set(r.object_id for r in window_records)
                if len(unique_ids) < self.min_unique_ids:
                    continue
 
                time_span = (window_records[-1].timestamp -
                           window_records[0].timestamp).total_seconds()
                rps = len(window_records) / max(time_span, 1)
 
                auth_failures = sum(1 for r in window_records
                                   if r.status_code in (401, 403))
                failure_ratio = auth_failures / len(window_records)
 
                # Determine severity
                if len(unique_ids) > 100:
                    severity = "critical"
                elif len(unique_ids) > 50 or failure_ratio > 0.5:
                    severity = "high"
                elif len(unique_ids) > 20:
                    severity = "medium"
                else:
                    severity = "low"
 
                # Determine attack type
                ids_list = sorted([r.object_id for r in window_records
                                  if r.object_id and r.object_id.isdigit()])
                is_sequential = self._check_sequential(ids_list)
                attack_type = "sequential_enumeration" if is_sequential else "random_enumeration"
 
                alert = EnumerationAlert(
                    source_ip=src_ip,
                    user_id=user_id,
                    endpoint_pattern=endpoint,
                    unique_object_ids=len(unique_ids),
                    total_requests=len(window_records),
                    time_window_seconds=time_span,
                    requests_per_second=round(rps, 2),
                    auth_failure_ratio=round(failure_ratio, 2),
                    severity=severity,
                    attack_type=attack_type,
                    sample_ids=list(unique_ids)[:10]
                )
                alerts.append(alert)
                break  # One alert per group
 
        return alerts
 
    def _check_sequential(self, ids: List[str]) -> bool:
        """Check if numeric IDs follow a sequential pattern."""
        if len(ids) < 5:
            return False
        try:
            numeric_ids = sorted(int(i) for i in ids)
            sequential_count = sum(
                1 for i in range(1, len(numeric_ids))
                if numeric_ids[i] - numeric_ids[i-1] <= 2
            )
            return sequential_count / len(numeric_ids) > 0.7
        except ValueError:
            return False
 
 
def main():
    detector = EnumerationDetector(
        time_window_minutes=5,
        min_unique_ids=15
    )
 
    log_file = sys.argv[1] if len(sys.argv) > 1 else "/var/log/api/access.log"
    records = []
    with open(log_file, 'r') as f:
        for line in f:
            record = detector.parse_log_line(line.strip())
            if record:
                records.append(record)
 
    alerts = detector.analyze(records)
 
    if alerts:
        print(f"\n[!] {len(alerts)} enumeration attack(s) detected:\n")
        for alert in alerts:
            print(f"  Source IP: {alert.source_ip}")
            print(f"  User ID: {alert.user_id}")
            print(f"  Endpoint: {alert.endpoint_pattern}")
            print(f"  Unique IDs Accessed: {alert.unique_object_ids}")
            print(f"  Requests/sec: {alert.requests_per_second}")
            print(f"  Auth Failure Ratio: {alert.auth_failure_ratio}")
            print(f"  Attack Type: {alert.attack_type}")
            print(f"  Severity: {alert.severity.upper()}")
            print(f"  Sample IDs: {alert.sample_ids}")
            print()
    else:
        print("[+] No enumeration attacks detected.")
 
 
if __name__ == "__main__":
    main()

Prevention Controls

Server-Side Authorization Enforcement

# Always validate object ownership at the data layer
def get_user_order(request, order_id):
    order = Order.objects.get(id=order_id)
    if order.user_id != request.user.id:
        raise PermissionDenied("Not authorized to access this order")
    return order

Use Unpredictable Identifiers

import uuid
 
# Use UUIDs instead of sequential integers
class Order(Model):
    id = UUIDField(default=uuid.uuid4, primary_key=True)

Implement Rate Limiting Per Endpoint

# Kong rate limiting per API route
plugins:
  - name: rate-limiting
    config:
      minute: 30
      policy: redis
      limit_by: credential

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.9 KB

API Enumeration Attack Detection — API Reference

Libraries

Library Install Purpose
requests pip install requests WAF and SIEM API queries

Detection Techniques

Technique Indicator Severity
Sequential ID enumeration /api/users/1, /api/users/2, ... HIGH
Endpoint fuzzing High 404 rate on /api/* paths HIGH
Rate abuse >50 API requests/minute from single IP MEDIUM
Path discovery Requests to /swagger, /api-docs, /graphql HIGH
BOLA/IDOR probing Access to other users' resource IDs CRITICAL

NGINX Combined Log Format

$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"

Common Enumeration Paths

Pattern Description
/api/v1/users/{id} User ID enumeration
/api/v1/accounts/{uuid} Account UUID guessing
/graphql?query={__schema} GraphQL introspection
/swagger/v1/swagger.json API documentation discovery
/api-docs, /.well-known Endpoint discovery

WAF Rule Categories

Category Description
rate-limit Request rate exceeds threshold
api-abuse Automated API enumeration
bola Broken Object Level Authorization
scanner Known scanner/fuzzer user-agent

OWASP API Security Top 10

ID Risk
API1 Broken Object Level Authorization
API2 Broken Authentication
API3 Broken Object Property Level Auth
API4 Unrestricted Resource Consumption
API5 Broken Function Level Authorization

External References

Scripts 1

agent.py6.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""API enumeration attack detection agent."""

import json
import sys
import argparse
import re
from datetime import datetime
from collections import defaultdict

try:
    import requests
except ImportError:
    print("Install: pip install requests")
    sys.exit(1)


ENUMERATION_PATTERNS = [
    re.compile(r"/api/v\d+/users/\d+", re.IGNORECASE),
    re.compile(r"/api/v\d+/accounts/[a-f0-9-]+", re.IGNORECASE),
    re.compile(r"/api/v\d+/orders/\d+", re.IGNORECASE),
    re.compile(r"/graphql.*introspection", re.IGNORECASE),
    re.compile(r"/(admin|internal|debug|swagger|api-docs)", re.IGNORECASE),
]

SEQUENTIAL_THRESHOLD = 10
RATE_THRESHOLD = 50


def parse_access_log(log_path):
    """Parse NGINX/Apache combined log format for API requests."""
    log_pattern = re.compile(
        r'(\S+) \S+ \S+ \[([^\]]+)\] "(\S+) (\S+) \S+" (\d+) \d+'
    )
    entries = []
    with open(log_path, "r") as f:
        for line in f:
            m = log_pattern.match(line)
            if m:
                entries.append({
                    "ip": m.group(1),
                    "timestamp": m.group(2),
                    "method": m.group(3),
                    "path": m.group(4),
                    "status": int(m.group(5)),
                })
    return entries


def detect_sequential_ids(entries):
    """Detect sequential ID enumeration in API paths."""
    id_pattern = re.compile(r"/(\d+)(?:/|$|\?)")
    ip_sequences = defaultdict(list)
    for entry in entries:
        m = id_pattern.search(entry["path"])
        if m:
            ip_sequences[entry["ip"]].append(int(m.group(1)))

    findings = []
    for ip, ids in ip_sequences.items():
        if len(ids) < SEQUENTIAL_THRESHOLD:
            continue
        sorted_ids = sorted(ids)
        sequential_count = sum(1 for i in range(1, len(sorted_ids))
                               if sorted_ids[i] - sorted_ids[i-1] == 1)
        if sequential_count >= SEQUENTIAL_THRESHOLD:
            findings.append({
                "ip": ip,
                "issue": f"Sequential ID enumeration detected ({sequential_count} sequential IDs)",
                "severity": "HIGH",
                "sample_ids": sorted_ids[:20],
                "total_requests": len(ids),
            })
    return findings


def detect_rate_anomalies(entries, window_seconds=60):
    """Detect abnormal request rates per IP to API endpoints."""
    ip_counts = defaultdict(int)
    ip_404s = defaultdict(int)
    ip_401s = defaultdict(int)
    for entry in entries:
        if "/api/" in entry["path"]:
            ip_counts[entry["ip"]] += 1
            if entry["status"] == 404:
                ip_404s[entry["ip"]] += 1
            elif entry["status"] == 401:
                ip_401s[entry["ip"]] += 1

    findings = []
    for ip, count in ip_counts.items():
        if count > RATE_THRESHOLD:
            findings.append({
                "ip": ip,
                "issue": f"High API request rate ({count} requests)",
                "severity": "MEDIUM",
                "total_requests": count,
                "404_count": ip_404s.get(ip, 0),
                "401_count": ip_401s.get(ip, 0),
            })
        if ip_404s.get(ip, 0) > 20:
            findings.append({
                "ip": ip,
                "issue": f"Excessive 404s on API ({ip_404s[ip]} not-found responses)",
                "severity": "HIGH",
                "detail": "Possible endpoint discovery/fuzzing",
            })
    return findings


def detect_path_enumeration(entries):
    """Detect API path/endpoint enumeration patterns."""
    ip_paths = defaultdict(set)
    for entry in entries:
        ip_paths[entry["ip"]].add(entry["path"].split("?")[0])

    findings = []
    for ip, paths in ip_paths.items():
        for pattern in ENUMERATION_PATTERNS:
            matched = [p for p in paths if pattern.search(p)]
            if len(matched) > 5:
                findings.append({
                    "ip": ip,
                    "issue": f"Path enumeration pattern: {pattern.pattern}",
                    "severity": "HIGH",
                    "matched_paths": len(matched),
                    "samples": list(matched)[:5],
                })
    return findings


def query_waf_logs(waf_url, api_key, hours=24):
    """Query WAF API for blocked enumeration attempts."""
    headers = {"Authorization": f"Bearer {api_key}"}
    try:
        resp = requests.get(f"{waf_url}/api/v1/events",
                            params={"hours": hours, "rule_category": "api-abuse"},
                            headers=headers, timeout=15)
        resp.raise_for_status()
        return resp.json().get("events", [])
    except Exception as e:
        return [{"error": str(e)}]


def run_audit(args):
    """Execute API enumeration detection audit."""
    print(f"\n{'='*60}")
    print(f"  API ENUMERATION ATTACK DETECTION")
    print(f"  Generated: {datetime.utcnow().isoformat()} UTC")
    print(f"{'='*60}\n")

    report = {}

    if args.log_file:
        entries = parse_access_log(args.log_file)
        report["total_log_entries"] = len(entries)
        print(f"Parsed {len(entries)} log entries from {args.log_file}\n")

        seq_findings = detect_sequential_ids(entries)
        report["sequential_id_findings"] = seq_findings
        print(f"--- SEQUENTIAL ID ENUMERATION ({len(seq_findings)} findings) ---")
        for f in seq_findings[:10]:
            print(f"  [{f['severity']}] {f['ip']}: {f['issue']}")

        rate_findings = detect_rate_anomalies(entries)
        report["rate_findings"] = rate_findings
        print(f"\n--- RATE ANOMALIES ({len(rate_findings)} findings) ---")
        for f in rate_findings[:10]:
            print(f"  [{f['severity']}] {f['ip']}: {f['issue']}")

        path_findings = detect_path_enumeration(entries)
        report["path_findings"] = path_findings
        print(f"\n--- PATH ENUMERATION ({len(path_findings)} findings) ---")
        for f in path_findings[:10]:
            print(f"  [{f['severity']}] {f['ip']}: {f['issue']}")

    return report


def main():
    parser = argparse.ArgumentParser(description="API Enumeration Detection Agent")
    parser.add_argument("--log-file", help="Access log file to analyze")
    parser.add_argument("--waf-url", help="WAF API URL for event queries")
    parser.add_argument("--waf-key", help="WAF API key")
    parser.add_argument("--output", help="Save report to JSON file")
    args = parser.parse_args()

    report = run_audit(args)
    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2, default=str)
        print(f"\n[+] Report saved to {args.output}")


if __name__ == "__main__":
    main()
Keep exploring