Merge branch 'feature/move-filter-manipulation' into develop

Author: PauloASilva

2019/en/src/0xa3-excessive-data-exposure.md

@@ -4,19 +4,13 @@ A3:2019 Excessive Data Exposure
 | Threat agents/Attack vectors | Security Weakness | Impacts |
 | - | - | - |
 | API Specific : Exploitability **3** | Prevalence **2** : Detectability **2** | Technical **2** : Business Specific |
-| Exploitation of excessive data exposure is simple, and is usually done by using different clients while sniffing the traffic they produce to analyze the API responses and look for sensitive data exposure that should not be returned to the user. | APIs rely on clients to perform the data filtering. Since APIs are used as data sources, sometimes developers try to implement them in a generic way without thinking about the sensitivity of the exposed data. Automatic tools usually can’t detect this type of vulnerability because it’s hard to differentiate between legitimate data returned from the API and sensitive data that should not be returned without a deep understanding of the application. | Excessive Data Exposure commonly leads to exposure of sensitive data. |
+| Exploitation of Excessive Data Exposure is simple, and is usually done by sniffing the traffic to analyze the API responses looking for sensitive data exposure that should not be returned to the user. | APIs rely on clients to perform the data filtering. Since APIs are used as data sources, sometimes developers try to implement them in a generic way without thinking about the sensitivity of the exposed data. Automatic tools usually can’t detect this type of vulnerability because it’s hard to differentiate between legitimate data returned from the API and sensitive data that should not be returned without a deep understanding of the application. | Excessive Data Exposure commonly leads to exposure of sensitive data. |
 
 ## Is the API Vulnerable?
 
-There are two types of Excessive Data Exposure:
-
-* **Client Side Data Filtering**: The API returns sensitive data to the client
-  by design. This data is usually filtered on the client side before being
-  presented to the user. An attacker can easily sniff the traffic and see the
-  sensitive data.
-* **Filter Manipulation**: the API performs data filtering in an unsafe manner
-  based on filters from the client. An attacker can send malicious filters
-  causing the API to return sensitive data they should not be exposed to.
+The API returns sensitive data to the client by design. This data is usually
+filtered on the client side before being presented to the user. An attacker can
+easily sniff the traffic and see the sensitive data.
 
 ## Example Attack Scenarios
 
@@ -31,22 +25,31 @@ object.
 
 ### Scenario #2
 
-An open source team chat solution provides the endpoint `/api/v1/users.list`
-which supports two parameters: `query` and `fields`. Using a regular user
-account and manipulating both parameters an attacker can enumerate admin
-accounts, exposing sensitive information such as the password reset token:
-`GET /api/v1/users.list?query={“roles”:{$in:“admin”}}&fields={“services.password.reset”:1, “username”:1”, “email.0”:1}`.
-Via password reset, the attacker can takeover one of the admin accounts.
+An IOT-based surveillance system allows administrators to create users with
+different permissions.
+An admin created a user for a new security guard that should have access only to
+specific buildings in the site.
+Once the security guard uses his mobile app, an API call is triggered to:
+`"/api/sites/111/cameras"` in order to receive data about the available cameras
+and show them on the dashboard.
+The response contains a list with details about cameras in the following format:
+`{"id":"xxx","live_access_token":"xxxx-bbbbb","building_id":"yyy"}`
+While the client GUI shows only cameras which the security guard should have
+access to, the actual API response contains a full list of all the cameras in
+the site.
 
 ## How To Prevent
 
 * Never rely on the client side to perform sensitive data filtering.
 * Review the responses from the API to make sure they contain only legitimate
   data.
-* Be careful when performing data filtering based on filters from the client.
 
 ## References
 
 ### OWASP
 
 ### External
+
+* [CWE-213: Intentional Information Exposure][1]
+
+[1]: https://cwe.mitre.org/data/definitions/213.html