Open in app

Sign in

Write

Sign in

OWASP API #3: Excessive Data Exposure

Santiago Rosenblatt
strike.sh
Published in
3 min readFeb 8, 2021

This section

As a reminder, we started with this section two weeks ago. Our main purpose is to share the top cybersecurity attacks that applications are suffering and help by explaining how you can prevent them from happening.

In each story, we go through ‘Brief explanation’, ‘Is my API vulnerable?’, ‘Attack scenarios’ and ‘How to prevent?’, so by the end you have a comprehensive understanding.

If you missed the previous articles in which we went through Broken Object Level Authorization and Broken Authentication, go have a look :)

API #3: Excessive Data Exposure

This week brings us a very important topic, one that is often left unattended or not given enough attention as it should.

When we develop, ensuring that our applications return only what is needed by the users is critical. Failing to seal the surface and not paying attention to what our API returns, leaves an entry point for an attack more often than not.

Taking into account the above, ensuring that our applications return the minimum necessary information, ends up being vital in this era in which the internet is plagued with bots and crawlers searching for vulnerable and weak points to exploit.

Just as a proof of concept, try leaving a Wordpress instance with the default credentials and a downgraded version exposed to the world; I bet you will see logs of automated scripts trying to get into it in less than an hour.

Brief explanation

Excessive Data Exposure occurs when a request’s response returns more data than truly required to perform the desired function.

Is my API vulnerable?

It is indeed vulnerable when:

  • The API returns full data objects from database and with sensitive data to the client by design.
  • Data is filtered on the client side instead of the backend.
  • An attacker can easily sniff the traffic and see sensitive data.

Example attack scenario

The mobile application of an e-commerce site uses the /api/orders/{orderID}/reviews/{reviewID} endpoint in the reviews to render comments metadata.

Sniffing the mobile application traffic, an attacker finds out that other sensitive data related to comment’s author is also returned. The endpoint implementation, uses a generic toJSON() method on the User model to serialize the object which returns the entire DTO.

As the entity from the domain contains PII (Personally Identifiable Information), it is also returned in the request and the attacker is able to grab something similar to:

{“user_name”:”santiago@strike.sh”,”age”:24,”phone_number”:”+1 (232) 606 3222", ”orders_quantity”: 203, ”orders_average_spending”:”USD 47.61”, ”comment”:”Good chair.”}

How to prevent?

  • Never perform data filtering on the client side.
  • Use Data Transfer Object and review the responses from the API on a quarterly basis to make sure they contain only legitimate data.
  • Make sure errors return only the necessary information.
  • Document all sensitive and PII that your application stores and review all API calls returning such information to see whether these responses can incur in a security issue.

Conclusion

In two minutes we have seen how not paying enough attention to a small function can result in a sensitive information breach. Thus, you are encouraged to be awake, and when designing your application, take notes of the sensitive information you are storing and where specifically both you and the user will be interacting with it.

By doing the above, you grab a much better understanding of your surface and help detecting privacy issues as soon as the code is implemented and avoiding releasing it to the production environment; which can be harmful when proper security concerns are not guaranteed.

Excessive Data Exposure can easily be mitigated by working with Data Transfer Objects and setting only the desired properties for the endpoint to return.

Thank you for reading this week’s story from our OWASP API TOP 10 series. If you have any doubts, do not hesitate to contact anyone at Strike or reach out to me through LinkedIn, we will be more than happy to help you!

Finally, if you want to see daily news, tips and funny related memes, be sure to give us a follow there too.

Cheers from Strike :)

Strike
Cybersecurity
Penetration Testing
Hacking
Owasp Top 10

--

--

Santiago Rosenblatt
strike.sh

Written by Santiago Rosenblatt

72 Followers
Editor for

Founder & CEO at Strike.sh | Ethical Hacker | Computer Engineer | Go Getter ✌🏻 - “Embrace reality and deal with it” https://linkedin.com/in/santiagorosenblatt

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams