API3:2019 — Excessive data exposure

The API may expose a lot more data than what the client legitimately needs, relying on the client to do the filtering. If attackers go directly to the API, they have it all.

The raw data that the API returns from the backend is all up for grabs if your bypass the UI.

Use case

  • The API returns full data objects as they are stored in the backend database.
  • The client application filters the responses and only shows the data that the users really need to see.
  • Attackers call the API directly and get also the sensitive data that the UI would filter out.

How to prevent

  • Never rely on the client to filter data!
  • Review all API responses and adapt them to match what the API consumers really need.
  • Carefully define schemas for all the API responses.
  • Do not forget about error responses, define proper schemas as well.
  • Identify all the sensitive data or Personally Identifiable Information (PII), and justify its use.
  • Enforce response checks to prevent accidental leaks of data or exceptions.