This finding combines a number of different tests that identify any sensitive data found in a network stream. Individual findings can be referenced for the specific data being transmitted. As an example, this test will list any sensitive data sent over HTTP, but there will be a separate finding for each individual piece of data such as a username or password that can provide more detail.
Steps to Reproduce
It is easy to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
The issues displayed in the evidence table may also constitute an API excessive data exposure concern.
Careful consideration to the API endpoints in the evidence table and the issues observed should be given based on the organization's security and privacy standards.
Business Impact
APIs that are subject to excessive data exposure concerns may reveal more information than the developer intended.
This could lead to privacy or security violations depending on the organization's standards.
Remediation Resources
Never rely on the client side to filter sensitive data.
Review the responses from the API to make sure they contain only legitimate data.
Finding Description
This finding combines a number of different tests that identify any sensitive data found in a network stream. Individual findings can be referenced for the specific data being transmitted. As an example, this test will list any sensitive data sent over HTTP, but there will be a separate finding for each individual piece of data such as a username or password that can provide more detail.
Steps to Reproduce
It is easy to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. The issues displayed in the evidence table may also constitute an API excessive data exposure concern. Careful consideration to the API endpoints in the evidence table and the issues observed should be given based on the organization's security and privacy standards.
Business Impact
APIs that are subject to excessive data exposure concerns may reveal more information than the developer intended. This could lead to privacy or security violations depending on the organization's standards.
Remediation Resources
Never rely on the client side to filter sensitive data. Review the responses from the API to make sure they contain only legitimate data.
Risk and Regulatory Information
Severity: info
Application
See more detail in the NowSecure Report