One of my "favorite" is id scanning. It's so simple... When I was a teen we wanted to call the 1-900 numbers (they were 056 in my area). So we found out that each of those numbers had a regular "technical support" number that was free.
We started calling phone number in the area e.g. if the support number was 03-555-5555 we'd try 03-555-5554 and onwards and the other direction 03-555-5556 and on...
The phone company would issue numbers in bulk and they would usually be in sequence. So we were able to dial in without charge (and find out it was super lame).
ID scanning is the same thing. You have user ID 99876. Then you try the same API call or web request with 99877 etc. This surprisingly works really well and was used to hack many companies in the past.
The solution is simple: don't use numeric ids. Use UUID or even a hash if you're super paranoid.
One of my "favorite" is id scanning. It's so simple... When I was a teen we wanted to call the 1-900 numbers (they were 056 in my area). So we found out that each of those numbers had a regular "technical support" number that was free.
We started calling phone number in the area e.g. if the support number was 03-555-5555 we'd try 03-555-5554 and onwards and the other direction 03-555-5556 and on...
The phone company would issue numbers in bulk and they would usually be in sequence. So we were able to dial in without charge (and find out it was super lame).
ID scanning is the same thing. You have user ID 99876. Then you try the same API call or web request with 99877 etc. This surprisingly works really well and was used to hack many companies in the past.
The solution is simple: don't use numeric ids. Use UUID or even a hash if you're super paranoid.