API Security- Sensitive Data Exposure
In this post of API Security, we are going to discuss “Excessive Data Exposure”. But before moving forward you need to understand what are API’s and how they work so for that you need to go through my previous blog
API Security — Excessive Data Exposure?
The “Excessive Data Exposure” is possible due to sniffing of traffic and looking for sensitive data in the sniffed traffic and sometimes the API actually returns a lot of data, sniffing is basically to steal the information from different ways, from source to target.
Example: suppose if an API is supposed to call only the username of the person the API is actually calling the Mobile number and the email address they might not get displayed on the UI but in the json response you can see them. Attackers fetch all this information from the API. From a business point of view it is dangerous as it leads to exposure of sensitive data.
Why it happens in API:
API mostly performs or relies on client’s data whenever performing or working on it. As API trusts the developer, implementation and developer not implemented API from a security point of view. He implemented the API in a very generic way and API data gets filtered on the client side before being represented to the user; attackers can take the advantage of this and sniff the traffic.
On top of it, automatic tools cannot detect this vulnerability; an experienced pen-tester can find this vulnerability. Tools cannot detect it because it is very hard to differentiate between legitimate data returned from the API.
Admin creates one account that fetches data from the API where he assigns user permissions according to the authorization. So the security guard is the end user here and he has rights to view or access specific building views. The API endpoint that is used for fetching the view is…
