130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • What is Excessive Data Exposure?
  • Vulnerable Code and Secure Code Example
  • Key Points for Developers
  • Summary and Key Takeaways
  • Reference Links

Was this helpful?

  1. Application Security
  2. Common API Security Problems

Excessive Data Exposure

What is Excessive Data Exposure?

Excessive Data Exposure occurs when an API returns more data than necessary to fulfill a user's request. This can lead to several security risks, including data breaches, privacy concerns, and wasted resources.

Maps to OWASP Top 10

Excessive Data Exposure is categorized under A06:2021 - Vulnerable and Outdated Components in the OWASP Top 10. It highlights the importance of ensuring that APIs only return the data necessary for the intended action.

Vulnerable Code and Secure Code Example

Attack Scenario

Imagine an API endpoint designed to fetch user information. Instead of returning just the user's name and email, it returns the user's full address, phone number, and even payment information. This unnecessary data can be exploited by attackers to gain access to sensitive information.

Insecure Implementation (Prone to Excessive Data Exposure) Using Spring Data JPA

@Entity
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String name;
    private String email;
    private String address;
    private String phoneNumber;
    private String paymentInfo;

    // Getters and Setters
}

public interface UserRepository extends JpaRepository<User, Long> {
}

@RestController
@RequestMapping("/api")
public class UserController {

    @Autowired
    private UserRepository userRepository;

    @GetMapping("/user")
    public User getUser(@RequestParam Long userId) {
        // Fetch user from database
        User user = userRepository.findById(userId).orElse(null);

        // Return all user data, including sensitive information
        return user;
    }
}

Attack Payload Example:

curl http://localhost:8080/api/user?userId=123

In this case, the API returns all user data, including sensitive information like addresses and payment details.

Secure Implementation (Mitigating Excessive Data Exposure) Using Spring Data JPA and Subclass

@Entity
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String name;
    private String email;
    private String address;
    private String phoneNumber;
    private String paymentInfo;

    // Getters and Setters
}

public class UserSafeDTO {
    private String name;
    private String email;

    // Getters and Setters for name and email
}

public interface UserRepository extends JpaRepository<User, Long> {
}

@RestController
@RequestMapping("/api")
public class UserController {

    @Autowired
    private UserRepository userRepository;

    @GetMapping("/user")
    public UserSafeDTO getUser(@RequestParam Long userId) {
        // Fetch user from database
        User user = userRepository.findById(userId).orElse(null);

        if (user == null) {
            throw new UserNotFoundException("User not found");
        }

        // Return only necessary user data using a subclass
        UserSafeDTO safeUser = new UserSafeDTO();
        safeUser.setName(user.getName());
        safeUser.setEmail(user.getEmail());
        return safeUser;
    }
}

The secure implementation:

  • Uses a subclass (UserSafeDTO) to only return the necessary data (name and email) to the client.

  • Avoids exposing sensitive information like addresses and payment details by not including them in the subclass.

Key Points for Developers

  • Implement Data Minimization: Ensure APIs only return the data necessary for the intended action.

  • Use Proper Data Filtering: Implement filtering mechanisms to remove unnecessary data before sending it in the response.

  • Follow the Principle of Least Privilege: Grant access to the minimum amount of data required for each user's role or permission level.

  • Conduct Security Testing: Regularly test APIs for vulnerabilities related to excessive data exposure.

Summary and Key Takeaways

Excessive Data Exposure can lead to significant security risks, including data breaches and privacy concerns. By implementing data minimization, proper filtering, and following security best practices, developers can mitigate these risks and ensure robust API security.

Reference Links

PreviousBroken AuthenticationNextLack of Resources & Rate Limiting

Last updated 6 months ago

Was this helpful?

OWASP API Security Top 10:

Spring Security Documentation:

Spring Data JPA Documentation:

Hibernate ORM Documentation:

Data Transfer Object Pattern:

OWASP API Security Top 10
Spring Security Documentation
Spring Data JPA Documentation
Hibernate ORM Documentation
Data Transfer Object Pattern