Excessive Data Exposure

Welcome folks, This blog will be a quick review about:

What is Excessive Data Exposure.
How to hunt for it.
Resources about the vulnerability.

What is Excessive Data Exposure:

Excessive Data Exposure is much like normal Information-Disclosure vulnerability except here the data returned in JSON format. The vulnerability represented in that the API returns more information for a request that than is needed in hope that the client will filter these data. For example, Consider that you're dealing with an API and there's a request that retrieves information once you logged in the website like the following:

GET /api/v1/info?email=John312@gmail.com
Host: api.target.com

Then you receive a response like the following:

HTTP/1.1 200 OK
Content-Type: application/json

{
    "id" : 252,
    "first_name" : "John",
    "last_name" : "",
    "email" : "John312@gmail.com",
    "phone" : "30215928123",
    "privilege" : "user",
    "representative" : [
            "id" : 122,
            "first_name" : "Sarah",
            "last_name" : "Yasser",
            "email" : "SarahY222@gmail.com",
            "phone" : "1248228122",
            "privilege" : "admin",
            "2fa" : false
    ]
}

Here the API didn't just respond with our information but also returned the representative's sensitive information like (email, phone, 2fa). Another example, Consider that there's a website provides the ability to comment on published blogs in the website but once you visit a blog the following request initiated:

GET /api/v2/blog/523/comments
Host: api.target.com

After reviewing the response you surprised with that the API returned a detailed information about the comments producers like the following:

HTTP/1.1 200 Ok
Content-Type : application/json

{
    [
      {  
        "id" : 241,
        "first_name" : "Ahmed",
        "last_name" : "Mostafa",
        "phone" : "1248729242",
        "email" : "ahmed_mostafe1@gmail.com",
        "2fa" : true
      }
      {
        "id" : 255,
        "first_name" : "Saif",
        "last_name" : "Mohammed",
        "phone" : "1225128224",
        "email" : "Saif2512@gmail.com",
        "2fa" : "false"
      }
      {
        "id" : 275,
        "first_name" : "Moamen",
        "last_name" : "Abd-Allah",
        "phone" : "1225925212",
        "email" : "Moamenn121@gmail.com",
        "2fa" : "false"
      }
    ]
}

How to hunt for it:

You just need use the application as intended and use each functions in the website as well while using your Burpsuite/ZAP enabled, After that you can Check the responses of the requests that initiated to the API. You can configure your burpsuite to just viewing JSON formatted responses to make it easier for hunting by heading to (Filter Settings) and click on (Show Only) then enter json like:

Resources about the vulnerability:

Hacking APIs book.

I hope if that could help even a little bit, If you've a question you can ask me at:

NextBOLA & BFLA

Last updated 2 years ago

HTTP/1.1 200 OK Content-Type: application/json { "id" : 252, "first_name" : "John", "last_name" : "", "email" : "John312@gmail.com", "phone" : "30215928123", "privilege" : "user", "representative" : [ "id" : 122, "first_name" : "Sarah", "last_name" : "Yasser", "email" : "SarahY222@gmail.com", "phone" : "1248228122", "privilege" : "admin", "2fa" : false ] }

HTTP/1.1 200 Ok Content-Type : application/json { [ { "id" : 241, "first_name" : "Ahmed", "last_name" : "Mostafa", "phone" : "1248729242", "email" : "ahmed_mostafe1@gmail.com", "2fa" : true } { "id" : 255, "first_name" : "Saif", "last_name" : "Mohammed", "phone" : "1225128224", "email" : "Saif2512@gmail.com", "2fa" : "false" } { "id" : 275, "first_name" : "Moamen", "last_name" : "Abd-Allah", "phone" : "1225925212", "email" : "Moamenn121@gmail.com", "2fa" : "false" } ] }