Information Leakage / Enumeration of Objects

Description

Enumeration of objects is an information leakage vulnerability that occurs when an attacker attempts to gain access to sensitive information by listing the names of objects or files (CWE-200). This type of attack may be done by exploiting the way a web or API application lists and organizes objects or files. In this way, the attacker can gain information about the application and its environment, as well as access to confidential information that may be stored in the application (OWASP Testing Guide).

Risk

This type of attack can be used to gain access to sensitive user information or authentication data, which can then be used to gain access to the system and its resources. This can lead to a serious security breach and data loss. Additionally, the attacker may be able to gain access to system resources, such as the database, which can further increase the severity of the attack (OWASP Testing Guide).

Solution

Enumeration of objects can be prevented by implementing security measures such as limiting the number of objects or files that can be listed in a single query, or implementing access control measures that limit the ability to list objects or files (OWASP Testing Guide). Additionally, it is important to ensure that any sensitive information stored in the application is properly encrypted, and that the encryption keys are securely stored and regularly changed.