OWASP API Security Top 10 API3:2019 Excessive Data Exposure with Example

In the recent blog, we learn about OWASP API Security Top 10 API2:2019 Broken User Authentication with Example. This blog we will learn about OWASP API Security Top 10 API3:2019 Excessive Data Exposure, its impact, an example, and remediation.

What is Excessive Data Exposure and its impact?

When an API exposes sensitive data in response by design, it is an Excessive Data Exposure. The client-side code generally filters this sensitive data before being presented to end users.

Suppose the APIs rely on client-side code to filter sensitive data. In that case, it is a vulnerability because an attacker can easily get sensitive data by sniffing the traffic.

Generally, automatic vulnerability scanners cannot identify such vulnerabilities because they can not differentiate between sensitive and legitimate data. After all, it depends on the application's design.

Excessive Data Exposure example

Suppose there is a shopping application that allows authenticated users to post feedbacks of the products, and other users can review the feedback before purchasing any product

The application uses an API endpoint to fetch the feedbacks from the server about the particular product and show it in GUI.

API Endpoint


If this API response contains Personal Identifiable Information (PII) about the author of the feedback, then it is an Excessive Data Exposure vulnerability.

API Response

“Date”: “10-Nov-2022”,
“Feedback”: “Ausome product”,
“Author_Username”: “abc”,
“Author_Email”: “abc@xxyz.com”,
“Author_Name”: “ABC”

In the above response, the Author's email and name are PII, and it is excessive data, but it is filtered by client-side code.


Debug API endpoint is used to understand the relationship between input and output and logs errors and information, but if the debug API response contains sensitive data, it is an Excessive Data Exposure vulnerability.

In the above image debug API endpoint response contains passwords, email, usernames, and permissions.


  • Review API response to make sure it only contains legitimate data
  • Not rely on client-side filtering of API response

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form