Introduction
An API is only supposed to return the required data to the front-end clients but sometimes teams will make a mistake or take the easy route and implement APIs that return all data to the client. When these API's return too much data, we can speak of Excessive Data Exposure.
A simple example we can give is an application which makes a call to grab the credit card details. The user does not see the CCV because it will be filtered out by the front-end client but the API still returns too much data.
Example:
As you can see here, we made the call to grab the credit card details and while the end user might not be able to see the CVV but since the API returns it, we are speaking of Excessive Data Expsoure.
Let's add another example to make things more clear. In this scenario we have a mobile application that makes a GET request to /api/articles/{articleId}/comments/{commentId} and gets metadata about the comment as well, including the author. However when someone is sniffing the data, they can also see PII data from the author.
The deceptive simple nature of this issue type makes it very easy to overlook and our automation is not very likely to pick this issue type up either so it's very easy to slip under the radar. To help you filter your data - API security solution. We have compiled the OWASP Top 10 2021 ranking based on statistical data. It's highly recommended that you judge all data leaving API's on their sensitive nature and what data it should send off to the front-end. Front-end filtering should be avoided if at all possible.
Subscribe for the latest news