Skip to content
Building REST API Microservices

Non-Enumerable Resource IDs

1. Introduction

Non-enumerable resource IDs are a security measure designed to prevent unauthorized access to data in REST APIs. When resource IDs are predictable or easily guessable, such as sequential integers (e.g., 1, 2, 3), attackers can exploit this by iterating through IDs to access data they are not authorized to see. This is known as ID enumeration or insecure direct object references (IDOR). To mitigate this risk, APIs should use non-enumerable, unpredictable IDs, such as UUIDs, GUIDs, or random alphanumeric strings. This chapter explores the importance of using non-enumerable resource IDs, common vulnerabilities associated with enumerable IDs, and best practices for implementing secure resource identifiers.

2. Understanding Non-enumerable Resource IDs

What are Non-enumerable Resource IDs?

Non-enumerable resource IDs are identifiers that are unique, unpredictable, and resistant to enumeration. Unlike sequential integers, non-enumerable IDs are difficult for attackers to guess or iterate over, thereby reducing the likelihood of unauthorized access to sensitive data.

Common Types of Non-enumerable IDs:

  1. UUIDs (Universally Unique Identifiers): A 128-bit identifier that is highly unique and difficult to guess. UUIDs are often used to ensure that resource identifiers are non-predictable.

    • Example: 123e4567-e89b-12d3-a456-426614174000

  2. GUIDs (Globally Unique Identifiers): Similar to UUIDs, GUIDs are unique and used to identify resources securely, especially in distributed systems.

    • Example: d70c90d2-4b7d-4a88-b5f0-d3c98b7c75d1

  3. Random Alphanumeric Strings: IDs generated from a combination of letters and numbers that are random and non-sequential, providing a simple but effective way to secure resource identifiers.

    • Example: Xa12Zb9cDf

  4. Hash-Based Identifiers: IDs generated using cryptographic hashes that make them virtually impossible to predict or iterate.

    • Example: 4f5d7c9a80b04f3a8b5a27a6e72b2830

3. Vulnerabilities Associated with enumerable Resource IDs

1. ID Enumeration (IDOR) Attack

  • Description: When APIs use predictable, sequential IDs (e.g., 1, 2, 3), attackers can guess and enumerate through IDs to access data they are not authorized to see. This is often referred to as an Insecure Direct Object Reference (IDOR).

  • Impact: Unauthorized access to sensitive information, such as personal data, orders, accounts, or any other resource accessible by an ID.

  • Example Scenario: An attacker modifies a URL from /api/orders/123 to /api/orders/124 to access another user’s order details, exploiting the sequential nature of IDs.

2. Data Leakage and Privacy Violations

  • Description: enumerable IDs expose internal data structures and sequences, revealing the number of records or entities in a system, which can be exploited to gain insights into the system’s operation or user behavior.

  • Impact: Exposure of system data, business insights, or unintended data disclosure, leading to privacy violations.

  • Example Scenario: An attacker infers the number of registered users by iterating through user IDs and detecting gaps or valid responses.

3. Increased Attack Surface

  • Description: Predictable IDs provide attackers with a clear target pattern, making it easier to automate attacks using scripts that cycle through possible IDs.

  • Impact: Increased risk of brute force attacks, data scraping, and automated enumeration.

  • Example Scenario: A bot systematically tries to access resources by incrementing IDs, leading to data breaches and unauthorized access.

4. Implementing Non-enumerable Resource IDs in REST APIs

1. Using UUIDs for Resource Identification

UUIDs provide a standard way to generate non-enumerable, unique identifiers for resources. Below is an example of using UUIDs in a Node.js API with the Fastify framework.

Example: Implementing UUIDs in Fastify

const fastify = require("fastify")({ logger: true });
const { v4: uuidv4 } = require("uuid"); // Import the UUID library


// Mock database of resources
const resources = {};


// Create a new resource with a UUID
fastify.post("/resources", async (request, reply) => {
  const id = uuidv4(); // Generate a UUID for the new resource
  resources[id] = request.body; // Save the resource with the UUID as the key
  return { id, message: "Resource created successfully" };
});


// Fetch a resource by its UUID
fastify.get("/resources/:id", async (request, reply) => {
  const { id } = request.params;
  if (!resources[id]) {
    return reply.code(404).send({ error: "Resource not found" });
  }
  return { id, data: resources[id] };
});


// Start the Fastify server
fastify.listen({ port: 3000 }, (err, address) => {
  if (err) {
    fastify.log.error(err);
    process.exit(1);
  }
  fastify.log.info(`Server running at ${address}`);
});

Key Points in the Example:

  • UUID Generation: The uuidv4() function generates a new UUID for each resource, ensuring that IDs are unique and non-predictable.
  • Non-Iterability: UUIDs are complex, random, and not based on a sequential pattern, making them difficult to guess or iterate through.
  • Secure Resource Access: The use of UUIDs prevents unauthorized access through ID enumeration, enhancing overall API security.

2. Using Random Alphanumeric Strings

Random alphanumeric strings are another effective method for generating secure, non-enumerable IDs. They provide a balance between readability and security.

Example: Generating Random Alphanumeric IDs

const crypto = require("crypto");


// Function to generate a random alphanumeric string
function generateRandomId(length = 12) {
  return crypto.randomBytes(length / 2).toString("hex"); // Convert random bytes to a hex string
}


// Mock database of users with random IDs
const users = {};


// Create a new user with a random ID
fastify.post("/users", async (request, reply) => {
  const id = generateRandomId(); // Generate a random alphanumeric ID
  users[id] = request.body; // Save the user with the random ID as the key
  return { id, message: "User created successfully" };
});


// Fetch a user by their random ID
fastify.get("/users/:id", async (request, reply) => {
  const { id } = request.params;
  if (!users[id]) {
    return reply.code(404).send({ error: "User not found" });
  }
  return { id, data: users[id] };
});

Key Points in the Example:

  • Random IDs: The generateRandomId() function creates a random string that is unique and non-sequential, preventing unauthorized access through predictable patterns.
  • Enhanced Security: Random alphanumeric IDs offer robust security without the complexity of UUIDs, making them suitable for APIs that need readable yet secure identifiers.

5. Best Practices for Non-enumerable Resource IDs

  1. Avoid Sequential or Predictable IDs

    • Never use sequential numbers, simple patterns, or easily guessable IDs for API resources. Predictable IDs make it easy for attackers to enumerate and access unauthorized data.

  2. Use Strong, Random, and Unique Identifiers

    • Utilize UUIDs, GUIDs, or cryptographically secure random strings for resource IDs. These identifiers are inherently resistant to enumeration and provide a high level of uniqueness.

  3. Implement Rate Limiting and Throttling

    • Apply rate limiting and throttling to API endpoints to mitigate the impact of enumeration attacks, even when non-enumerable IDs are used. Limit the number of requests a client can make within a given time frame.

  4. Verify Authorization for Every Request

    • Implement strict object-level authorization checks to ensure that even with secure IDs, access is granted only to authorized users. Do not rely solely on the obscurity of non-enumerable IDs for security.

  5. Use Error Responses Carefully

    • Avoid overly informative error messages that reveal whether an ID exists or not. Use generic error messages to prevent attackers from learning about the existence of specific resources.

  6. Monitor and Log Access Patterns

    • Log all access attempts, especially those that appear to iterate through IDs or exhibit unusual patterns. Use these logs to detect and respond to potential enumeration attacks.

  7. Educate Development Teams

    • Ensure that developers understand the risks associated with enumerable IDs and are trained in implementing secure, non-predictable identifiers in API design.

6. Conclusion

Using non-enumerable resource IDs is a fundamental security practice for protecting REST APIs against enumeration attacks and unauthorized access. By replacing predictable, sequential identifiers with UUIDs, random strings, or other non-enumerable formats, APIs can significantly enhance their security posture. Coupled with robust authorization checks, rate limiting, and monitoring, non-enumerable IDs help safeguard sensitive data and maintain the integrity of API resources.