Back to Intelligence

France Identité (ANTS) Breach: Detecting IDOR Exploitation and Data Scraping

SA
Security Arsenal Team
May 2, 2026
7 min read

Introduction

Recent reports detail the detention of a 15-year-old individual suspected of orchestrating a cyberattack against the Agence Nationale des Titres Sécurisés (ANTS), the French agency responsible for issuing administrative documents. The attacker allegedly exploited a vulnerability in the France Identité platform—a digital identity ecosystem used to access government services—to exfiltrate sensitive personal data and subsequently offered it for sale on cybercriminal forums.

For defenders, this incident highlights the critical risk of Insecure Direct Object References (IDOR) and logic flaws in public-facing web applications. Unlike traditional exploits requiring specific software versions, these vulnerabilities allow authenticated or unauthenticated users to access data belonging to other users simply by manipulating identifiers (e.g., document IDs) in API calls or URLs. This post provides the technical breakdown and detection logic necessary to identify similar scraping and data exfiltration activities within your environment.

Technical Analysis

  • Affected Platform: France Identité / ANTS Web Portal
  • Vulnerability Type: Insecure Direct Object Reference (IDOR) / Business Logic Flaw
  • Exploitation Status: Confirmed Active Exploitation (Data Exfiltration)

Attack Chain

  1. Initial Access: The attacker identified a vulnerable endpoint within the France Identité application used for retrieving document data or user profiles.
  2. Enumeration & Exploitation (IDOR): Instead of exploiting a buffer overflow or code execution vulnerability, the actor likely automated requests to the web server, incrementing or randomizing object identifiers (e.g., document_id=1001, document_id=1002) in GET or POST requests.
  3. Data Exfiltration: The server responded with the personally identifiable information (PII) associated with each ID. The actor scraped this data in bulk, accumulating a database of sensitive records.
  4. Monetization: The exfiltrated data was packaged and advertised for sale on underground forums.

Defender's Perspective

IDOR flaws are notoriously difficult to detect with standard vulnerability scanners because they require understanding the application's specific business logic (i.e., "Is User A allowed to view Document B?"). In this case, the "noise" of the attack manifests as anomalous HTTP traffic patterns—specifically, a high volume of successful requests (200 OK) from a single source IP or session targeting sequential resource endpoints.

Detection & Response

Given the nature of this breach (web-based scraping via logic flaws), detection relies heavily on analyzing Web Access Logs and Network telemetry.

SIGMA Rules

The following Sigma rules target the behavioral indicators of IDOR scraping and web-based data exfiltration.

YAML
---
title: Potential Web Scraping via Sequential ID Access
id: 8a2b1c9d-3e4f-4a5b-6c7d-8e9f0a1b2c3d
status: experimental
description: Detects potential web scraping or IDOR exploitation by identifying a single client IP generating a high volume of 200 OK responses to endpoints containing numeric identifiers.
references:
 - https://attack.mitre.org/techniques/T1119/
author: Security Arsenal
date: 2025/01/14
tags:
 - attack.collection
 - attack.t1119
logsource:
 category: webserver
 product: apache
# Note: Adapt logsource for Nginx or IIS as needed, field names may vary (cs_uri_query vs uri_query)
detection:
 selection:
    sc_status: 200
    cs_uri_query|contains: 'id='
  condition: selection | count() by client_ip > 1000
 timeframe: 5m
falsepositives:
  - Legitimate heavy usage by automated testing tools
  - Misconfigured monitoring bots
level: high
---
title: High Volume User-Agent Anomaly
id: 9b3c2d0e-4f5a-5b6c-7d8e-9f0a1b2c3d4e
status: experimental
description: Detects traffic from sources with unusually high request rates that do not identify as standard search engine bots.
references:
 - https://attack.mitre.org/techniques/T1119/
author: Security Arsenal
date: 2025/01/14
tags:
 - attack.collection
 - attack.t1119
logsource:
 category: proxy
 product: firewall
detection:
 selection:
    sc_status: 200
  filter_main_bots:
    cs_user_agent|contains:
      - 'bot'
      - 'spider'
      - 'crawl'
  condition: selection and not filter_main_bots | count() by src_ip > 500
 timeframe: 2m
falsepositives:
  - Aggressive API clients
  - Legacy internal applications
level: medium

KQL (Microsoft Sentinel / Defender)

This KQL query hunts for patterns indicative of IDOR attacks by looking at HTTP request volume and URI structure in CommonSecurityLog (Web Proxy/Firewall) or Syslog.

KQL — Microsoft Sentinel / Defender
// Hunt for IDOR scraping: High volume of requests to ID-based endpoints
let Threshold = 1000; // Adjust based on baseline traffic
let TimeWindow = 5m;
CommonSecurityLog
| where TimeGenerated > ago(TimeWindow)
| where DeviceAction in ("GET", "POST") and HttpStatusCode == 200
// Look for common ID patterns in URI Query or RequestURL
| where RequestURL matches regex @"id=[0-9]+" or RequestURL matches regex @"/\d{4,}" 
| summarize Count = count(), RequestedEndpoints = makeset(RequestURL) by SourceIP, UserAgent
| where Count > Threshold
| extend Timestamp = now()
| order by Count desc

Velociraptor VQL

While this attack primarily targets web servers, endpoints within the organization may be used as jump hosts or staging points. This artifact hunts for processes often used in web scraping scripts or unusual network connections.

VQL — Velociraptor
-- Hunt for processes commonly used in web scraping tools or scripts
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name IN ('python.exe', 'python3.exe', 'node.exe', 'powershell.exe', 'curl.exe', 'wget.exe')
  AND (
    CommandLine =~ 'requests' OR 
    CommandLine =~ 'http' OR
    CommandLine =~ 'download' OR
    CommandLine =~ 'scrape'
  )

-- Hunt for established network connections to non-standard ports often used in C2 or exfil
SELECT Fd, Family, RemoteAddr, RemotePort, State, Pid
FROM netstat()
WHERE State =~ 'ESTABLISHED'
  AND RemotePort NOT IN (80, 443, 22, 53, 88, 389, 636, 3389, 5985, 5986)

Remediation Script (PowerShell)

Use this script to audit IIS servers for proper logging configuration. You cannot patch a logic flaw with a script, but you can ensure your logging is verbose enough to detect the exploitation of such flaws.

PowerShell
# Audit IIS Logging for Detection Readiness
Import-Module WebAdministration

$Sites = Get-Website
$AuditResults = @()

foreach ($Site in $Sites) {
    $LogPath = "$($Site.LogFile.Directory)\W3SVC$($Site.ID)"
    $LogFormat = (Get-ItemProperty "IIS:\Sites\$($Site.Name)" -Name logfile).logFormat
    
    # Check for custom fields (needed for detecting IDOR like Username or Cookie)
    $CustomFields = Get-WebConfigurationProperty -Filter "/system.applicationHost/sites/site[@name='$($Site.Name)']/logFile/customFields" -Name .
    
    $IsCompliant = $false
    if ($LogFormat -eq 'W3C') {
        # Ensure critical fields are enabled (Query String is vital for IDOR detection)
        $LogFields = Get-WebConfigurationProperty -Filter "/system.applicationHost/sites/site[@name='$($Site.Name)']/logFile" -Name "logExtFileFlags"
        
        if ($LogFields.Value -match 'Date' -and $LogFields.Value -match 'Time' -and $LogFields.Value -match 'UriQuery' -and $LogFields.Value -match 'HttpSubStatus') {
            $IsCompliant = $true
        }
    }
    
    $AuditResults += [PSCustomObject]@{
        SiteName = $Site.Name
        LogPath = $LogPath
        Format = $LogFormat
        QueryStringLoggingEnabled = ($LogFields.Value -match 'UriQuery')
        ComplianceStatus = if ($IsCompliant) { "PASS" } else { "FAIL" }
    }
}

$AuditResults | Format-Table -AutoSize

# Alert if any site is non-compliant
$NonCompliant = $AuditResults | Where-Object { $_.ComplianceStatus -eq "FAIL" }
if ($NonCompliant) {
    Write-Warning "Action Required: IIS Logging on the following sites is not configured optimally for Web Attack detection. Ensure 'UriQuery' is enabled."
}

Remediation

  1. Application Logic Patching: Work with development teams to implement server-side checks for every request that accesses a resource object. Ensure the session context (user) has explicit authorization to view the requested object ID.
  2. Indirect Object References: Replace sequential database IDs (e.g., ?id=101) with non-guessable references such as UUIDs or GUIDs (e.g., ?id=550e8400-e29b-41d4-a716-446655440000). This prevents simple scraping loops.
  3. Rate Limiting: Implement granular rate limiting on API endpoints and authenticated pages. Detect and block IPs or sessions that request a higher number of pages per minute than a human user could reasonably generate.
  4. User-Agent Validation: While spoofable, blocking requests with empty or malformed User-Agents can filter out low-effort automated scripts.
  5. Logging Enhancement: Ensure QueryString and Cookie fields are logged in web server logs (IIS/Nginx/Apache). Without the query string, detecting an IDOR attack (identifying the changing ID) is impossible.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirantsidoreweb-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
France Identité (ANTS) Breach: Detecting IDOR Exploitation and Data Scraping | Security Arsenal | Security Arsenal