Excessive Data Exposure

Guides

API3:2023 - Excessive Data Exposure

This vulnerability occurs when APIs return more data than necessary, exposing sensitive information that should be filtered or masked on the server-side

Understanding why this vulnerability exists

The reason this security risk exists is due to APIs returning complete data objects without any filtering at all, Examples like generic endpoints that return entire database records

Real World Examples

Example 1: User Profile Endpoint

Intended use - client displays only public information:

GET kong.nonamesec.org/normal/users

API Response (excessive data exposure):

{
    22: {
        'identification': "1-0021-1234",
        'name': 'Sergio',
        'email': 'sergio@company.com',
        'password': 'SuperSecret123!',
        'ssn': '123-45-6789',
        'credit_card': '4532-1234-5678-9010',
        'api_key': 'sk_live_51234567890abcdef'
    },
    98: {
        'identification': "1-9954-5647",
        'name': 'Zack',
        'email': 'zack@company.com',
        'password': 'Password123',
        'ssn': '987-65-4321',
        'credit_card': '5425-2334-3010-9876',
        'api_key': 'sk_live_98765432109876543'
    },
    12: {
        'identification': "1-9843-6433",
        'name': 'Gabriel',
        'email': 'gabriel@company.com',
        'password': 'MyP@ssw0rd',
        'ssn': '456-78-9012',
        'credit_card': '3782-822463-10005',
        'api_key': 'sk_live_abcdefghijklmnop'
    },
    27: {
        'identification': "1-1022-5678",
        'name': 'Diana',
        'email': 'diana@company.com',
        'password': 'Diana2024!',
        'ssn': '789-01-2345',
        'credit_card': '6011-1111-1111-1117',
        'api_key': 'sk_live_qrstuvwxyz123456'
    }
}

The API exposes sensitive fields like password, ssn, credit_card, and api_key that should never be returned

What are the common methods to prevent Excessive Data Exposure?

Controls	Prevents Excessive Data Exposure
Authentication	❌ No
Authorization	✅ Yes
Schema-based responses	✅ Yes
Field filtering	✅ Yes

How did we actually remediated this in the current solution?

In this exercise where we are presenting an unsecure and secure API, we tried where possible to rely on Kong's API Gateway as the source of our protection. However, for Excessive Data Exposure, the most effective solution required changes at the server-side level to implement proper response filtering

Available Kong Plugins we utilized:

https://developer.konghq.com/plugins/acl/ → Prevent consumers from accessing expose data.
https://developer.konghq.com/plugins/request-transformer/ → Can be used in combination to ensure consistent data handling

However, while Kong's response transformer provides an additional layer of protection, the primary remediation was limiting the access to only de administrator user. This ensures no one else has access to it, but it comes down to actually making a change on the server excessive data exposure