What is Excessive Data Exposure and its impact?
When an API exposes sensitive data in response by design, it is an Excessive Data Exposure. The client-side code generally filters this sensitive data before being presented to end users.
Suppose the APIs rely on client-side code to filter sensitive data. In that case, it is a vulnerability because an attacker can easily get sensitive data by sniffing the traffic.
Generally, automatic vulnerability scanners cannot identify such vulnerabilities because they can not differentiate between sensitive and legitimate data. After all, it depends on the application's design.
Excessive Data Exposure example
Suppose there is a shopping application that allows authenticated users to post feedbacks of the products, and other users can review the feedback before purchasing any product
The application uses an API endpoint to fetch the feedbacks from the server about the particular product and show it in GUI.
API Endpoint
/api/feedbacks/{product_id}
If this API response contains Personal Identifiable Information (PII) about the author of the feedback, then it is an Excessive Data Exposure vulnerability.
API Response
{
“Date”: “10-Nov-2022”,
“Feedback”: “Ausome product”,
“Author_Username”: “abc”,
“Author_Email”: “abc@xxyz.com”,
“Author_Name”: “ABC”
}
In the above response, the Author's email and name are PII, and it is excessive data, but it is filtered by client-side code.
Example
Debug API endpoint is used to understand the relationship between input and output and logs errors and information, but if the debug API response contains sensitive data, it is an Excessive Data Exposure vulnerability.
In the above image debug API endpoint response contains passwords, email, usernames, and permissions.
Remediations
- Review API response to make sure it only contains legitimate data
- Not rely on client-side filtering of API response
