exploiting-excessive-data-exposure-in-api
Installation
SKILL.md
Exploiting Excessive Data Exposure in API
When to Use
- Testing APIs where the frontend displays a subset of data but the API response includes additional fields
- Assessing mobile application APIs where responses are designed for multiple client types and may contain excess data
- Identifying PII leakage in API responses that include email addresses, phone numbers, SSNs, or payment data not shown in the UI
- Testing GraphQL APIs where clients can request arbitrary fields including sensitive attributes
- Evaluating APIs after microservice refactoring where internal service-to-service data leaks into public endpoints
Do not use without written authorization. Data exposure testing involves capturing and analyzing potentially sensitive personal data.
Prerequisites
- Written authorization specifying target API endpoints and scope
- Burp Suite Professional or mitmproxy configured as intercepting proxy
- Two test accounts at different privilege levels (regular user and admin)
- Browser developer tools or mobile proxy setup for traffic capture
- Python 3.10+ with
requestsandjsonlibraries - API documentation (OpenAPI spec) for comparison against actual responses