Project Description

Excessive Data Exposure

Excessive Data Exposure is at the 3rd place in the OWASP API top 10. This vulnerability has been in the top 3 security threats on the OWASP top 10 list year after year, which goes to show that it has remained highly prevalent and very damaging.

What is Excessive Data Exposure vulnerability? 

As you know, an API is only supposed to return the required data to the front-end clients. As the name indicates, Excessive Data Exposure happens when API endpoints return more than required data or all the data to the client, usually due to a manual error. 

Example

To practically understand this vulnerability and what it means to you, let’s look at an example of excessive data exposure. Here is a scenario where a user is using the ‘Forgot password’ feature on a website to reset their password, using the reset password token received in the mailbox. 

The user visits a sample website, visits the login page, clicks on the forgot password link, enters the email address to reset the password and clicks submit. Upon submission, the following POST request to the API will be generated: 

Request: 

POST /api/forgot-password HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Host: www.demo-website.com
Cookie: SESSIONID=t8q6Jp19pFOq5NPOUy21
Connection: keep-alive
{ "email":"user@xyz.com" }
Upon sending this request, the user gets following response from the server:

Response:

HTTP/2 200 OK
Date: Fri, 15 Jul 2022 06:43:22 GMT
Content-Type: application/json
Transfer-Encoding: Chunked
Keep-Alive: timeout=60
Connection: keep-alive
{
"status":"success"
"userid":"21"
"email":"user@xyz.com",
"name":"John Doe",
"resetUrl":"https://api.demo-website.com/account/reset-password?token=BDAD85816485714619CE416BE86FF",
"Phone":"1111111111"
}

As you can see here, we made a call to generate the password security token and send it to the user via email. Here, the API is returning the password reset token in the response which is problematic. The API is returning more than it should and that’s why this API endpoint is vulnerable to excessive data exposure exploits. 

An Excessive Data Exposure vulnerability can often lead to account takeover, privilege escalation and so on. In our example scenario, the token in the response can be used by the threat actor to reset the victim user account’s password, resulting in account takeover. This makes this vulnerability damaging to the integrity of the user account. 

In the above example, the API is returning not just the password token but also the phone. If the user has set the privacy option of the phone to be private or self-viewing-only, then returning the phone parameter by the API also affects the confidentiality of the user account. A vulnerability as big as this could be very damaging for the reputation of the organization as well as lead to huge compliance fines. 

To study common API challenges and how IT practitioners are facing these challenges, Cloudentity conducted its 2021 State of API Security, Privacy and Governance Survey with independent research firm Pulse QA. The findings of the study revealed that in 2021, a staggering 44% of enterprises have experienced substantial API security problems concerning data leakage and object property exposure resulting in major privacy issues.

With that, it has become crucial that API vulnerabilities like excessive data exposure are mitigated in the development stage, with careful API design and rigorous testing of API endpoints to ensure that no endpoint is returning more data than it should. 

How to protect our APIs against the Excessive Data Exposure Vulnerability?

  1. Don’t rely on the client to filter out data. When data filtering is delegated to the client, threat actors can take advantage of this to steal the sensitive data.  
  2. Review the most commonly used API endpoints, and figure out how to set the amount of data in the responses at its bare minimum according to who the end-user is . This is the best way to avoid excessive data exposure.  
  3. Every API endpoint that is new or existing should have their responses reviewed to verify if they do not contain any PII data that is not required. You should also use API security tools that can help you monitor API endpoints which contain PII data.  
  4. Consider adopting OpenAPI standards for a secure and robust API integration. The OpenAPI standards (OAS) acts as a driving force to bring structure and order to the API development process. 

Conclusion 

As applications are becoming more complex with a vast spectrum of features and integrations with third party services, we are sure to see the amount and complexity of APIs continuously expanding. As more APIs are written, both development and security teams will have to play a pivotal role in ensuring that APIs are carefully designed, all API endpoints are rigorously tested, and best standards are followed to stop the API from returning more information to the user than it should.