Deepshikha Paty
DI-ASM
What is Excessive Data Exposure?
It happens when an API gives too much information in its response β including private or sensitive data that should not be shared with the user.
How does it happen?
-
Developers send all data from the database, thinking the front-end will hide whatβs not needed.
-
But if someone checks the raw API response (like with tools such as Talend or Postman), they can see everything β including things like:
- Phone numbers
- Account numbers
- Access tokens
- Device info, etc.
Example
- A mobile shopping app displays a user's order summary.
- But when analyzing the API response using a tool like Postman or a browser developer tool, the entire user object is returned, including sensitive data like:
- Full address
- Email ID
- Credit card number (masked or unmasked)
- Internal user roles or permissions
Even though only the order summary is shown on the screen, the backend sends more data than necessary, which can be exploited if intercepted or accessed improperly.
π― Why is it risky?
- Hackers can easily read the raw response and steal private info.
- Sensitive data can be used to:
- Access other systems
- Pretend to be someone else
- Attack users or the company
β How to prevent this?
- Only send needed data from the backend β not everything.
- Never depend on the front-end to hide private info.
- Regularly check API responses to make sure no sensitive info is leaked.
- Avoid generic methods like
to_string()orto_json()that return everything. - Test APIs (automated + manual) to make sure only safe data is returned.