Excessive Data Exposure

Excessive Data Exposure occurs when an application unintentionally reveals more data than necessary, often through APIs or error messages.

This can lead to unauthorized access to sensitive information, which may include personal data, system details, or other confidential information that can be exploited by attackers.

Limit the amount of data returned by APIs or error messages to only what is necessary, implement proper data access controls, and use data masking or anonymization techniques to protect sensitive information.

The below example is based on the crAPI application.

Figure 1: Identifying an excessive data exposure vulnerability.

The below example is based on HTB's API Attacks module.

Figure 2: Discovering an Excessive Data Exposure flaw.