Drilling Down Into Excessive Data Exposure: How to Protect Your APIs Sensitive Data
April 10, 2022
7 min read
TLDR Key Takeaways
The fact that excessive data exposure is consistently in the top three of the top ten API Security threats, according to OWASP, year after year should help highlight the prevalence and importance of addressing it within your own APIs.
91% of enterprise security officials had an API security incident in 2020, including major companies like Paypal, Facebook, and Equifax - which saw massive losses to their reputation and company value due to those data breaches.
But what is excessive data exposure? And what are the best ways to protect your APIs from falling victim to a cyber-attack targeting this vulnerability?
What is Excessive Data Exposure and Why Is It on the OWASP Top 10 List?
Excessive data exposure occurs when an application, via API response, returns more information than necessary for a user to perform a specific action.
When web and mobile apps regularly rely on API calls that return more information to the user than necessary, those responses expose unfiltered data that an attacker can take advantage of to gain sensitive information.
An illustration of how excessive data exposure occurs and the harm that can be done if, for example, an e-store owner wants to pull customers' names and locations to use in a marketing campaign. Here's what such an API request might look like:
The API would then pull the entire object from the database, including the information you're looking for:
"real_name": "John Doe",
"location": "San Antonio, TX",
"address": "514 W Commerce St, San Antonio, TX, USA",
"creditCard": "2342 3424 5323 1234",
Excessive data exposure then occurs when the API returns too much information, instead of filtering only the fields required, which should look like this:
"real_name": "John Doe",
"location": "San Antonio, TX"
When API developers mistakenly think that since data is not visible, it's not susceptible - that is when companies open their APIs to sensitive data exposure which can result in horrible situations like identity theft, fraud, and even leaked trade secrets.
With over 155.8 million individuals in the US affected by data breaches in 2020 alone, protecting sensitive data exposure has been a major focus for the OWASP organization to help developers understand that hidden data is still highly vulnerable to attackers.
How To Protect Your APIs Against Excessive Data Exposure
Thankfully, there are measures you can take to protect your APIs from exposing sensitive data unnecessarily.
When you stop your APIs from sending excessive data, it becomes much more challenging for cybercriminals to gain access to anything you don't want them to see. These six tips will go a long way to locking down your data from those with malicious intent.
1. Restrict the Client from Performing Data Filtering
Delegating data filtering to the client is a shortcut hackers are more than willing to take advantage of to steal your sensitive data.
The golden rule is simple: never leave data filtering to the client when dealing with sensitive user information.
Accessing raw, unfiltered information is the gold standard for cybercriminals, so you need to take full control of your sensitive data from start to finish to actually protect it.
Instead of giving away entire data objects, craft specific API responses to all of the most common API calls to limit the flow of data to only fields necessary to complete a specific action. If absolutely necessary to return sensitive data, consider masking the data.
2. Control & Minimize Returns In Your API Responses
As we mentioned before, reviewing your most common use cases to minimize the amount of data all of your API responses contain to the bare minimum is the best way to avoid excessive data exposure.
Every response and every data field must be treated as a vulnerability that can potentially be exposed because they are.
Minimizing the returns not only lowers the attack surface but also shields your full data set, making it harder for attackers to get a complete understanding of the systems being used and discover critical vulnerabilities.
3. Encrypt Data During Transit and at Rest
Encrypting data during transit with methods like SSL, TLS, or FTPS significantly reduces the likelihood of third parties gaining access to sensitive data even if they managed to hijack an API response.
Instead of capturing valuable, potentially sensitive data, hackers get a combination of random numbers and symbols that will remain completely useless without a specific key required to decode them.
4. Automate API Security Monitoring
An API is a complex system, so it’s not uncommon to see new vulnerabilities pop up as a direct result of patching up API security loopholes in the first place.
The problem is that even if you inspected every part of your code to protect your API, you need a full API security check every time you update your build, release a new feature, or even fix a few bugs here and there.
Doing that manually is not a realistic option as each API test takes a considerable amount of resources to execute.
Automated API security testing tools completely eliminate those issues by leveraging the power of AI to monitor APIs around the clock across hundreds of potential vulnerabilities.
APIsec allows you to do just that, providing automated, comprehensive, and continuous API testing to keep your API protected.