Exploiting Excessive Data Exposure in API

When to Use

• Testing APIs where the frontend displays a subset of data but the API response includes additional fields
• Assessing mobile application APIs where responses are designed for multiple client types and may contain excess data
• Identifying PII leakage in API responses that include email addresses, phone numbers, SSNs, or payment data not shown in the UI
• Testing GraphQL APIs where clients can request arbitrary fields including sensitive attributes
• Evaluating APIs after microservice refactoring where internal service-to-service data leaks into public endpoints

Do not use without written authorization. Data exposure testing involves capturing and analyzing potentially sensitive personal data.

Prerequisites

• Written authorization specifying target API endpoints and scope
• Burp Suite Professional or mitmproxy configured as intercepting proxy
• Two test accounts at different privilege levels (regular user and admin)
• Browser developer tools or mobile proxy setup for traffic capture
• Python 3.10+ with requests and json libraries
• API documentation (OpenAPI spec) for comparison against actual responses