Web services, especially REST services, often reference database elements using their identifiers in the URL. If these identifiers are sequential and authorization checks are not properly done, it may be possible to enumerate all of the elements just by increasing or decreasing the identifier.

For example, let's say that we log in to a banking application and then call to the API to request our personal profile. This request looks something like the following:

https://bankingexample.com/client/234752879  

The information is returned in JSON format, which is formatted and displayed on the client's browser:

{ 
  "id": "234752879", 
  "client_name": "John", 
  "client_surname": "Doe", 
  "accounts": [{"acc_number":"123456789","balance":1000}, 
   {"acc_number":"123456780","balance":10000}] 
} 

If we increment the client ID in the request and the authorization privileges are not properly checked on the server, we may get the information of another client of the bank. This can be a major issue in an application that handles such sensitive data. Web services should only allow access after proper authentication and always perform authorization checks on the server side; otherwise, there is the risk of someone accessing sensitive data using a direct object reference. Insecure direct object references are a major cause of concern in web services, and they should be at the top of your to-do list when penetration testing a RESTful web service.