API3:2019 Excessive Data Exposure - OWASP API Security Top 10

Overview

This article discusses the security risk of excessive data exposure in APIs, as outlined in the OWASP API Security Top 10.

Description

Excessive Data Exposure is a vulnerability where APIs return sensitive data to the client without proper filtering. This can lead to the exposure of confidential information and pose a security risk. This article provides an overview of the threat agents, attack vectors, security weaknesses, and impacts associated with excessive data exposure. It also provides example attack scenarios and offers preventative measures to mitigate the risk.

How to Prevent ?

To prevent excessive data exposure in APIs, it is important to never rely on the client side to filter sensitive data. Backend engineers should review API responses to ensure they only contain legitimate data. Generic methods should be avoided, and specific properties should be cherry-picked instead. Sensitive and personally identifiable information (PII) should be properly classified and API calls returning such information should be reviewed for security issues. Implementing a schema-based response validation mechanism and enforcing data returned by API methods can add an extra layer of security.

Example Attack Scenarios:

• Scenario #1:  In this scenario, the mobile team uses an API endpoint to render comments metadata. However, sniffing the mobile application traffic reveals that sensitive data related to comment authors is also returned. This is due to the use of a generic toJSON() method, which serializes the User model, including PII.

• Scenario #2:  In this scenario, an IOT-based surveillance system allows administrators to create users with specific permissions. However, an API call triggered by a mobile app exposes a full list of all cameras, instead of showing only the ones the user should have access to. This exposes sensitive information and poses a security risk.