You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|Since API are used as data sources, many times while writing the APIs developers try to implement them in a very generic way, without thinking about the sensitivity of the exposed data. They rely on clients to perform the data filtering before showing it to the user. || Frequently sensitive object properties are exposed such as those holding PII protected by law or regulation (e.g. GDPR), authentication data or meaningful resources relationships. |
5
+
| - | - | - |
6
+
|API Specific : Exploitability **3**| Prevalence **2** : Detectability **2**| Technical **2** : Business Specific|
7
+
|Exploitation of improper data filtering is simple, and is usually done by using different clients while sniffing the traffic they produce to analyze the API responses and look for sensitive data exposure that should not be returned to the user. |APIs rely on clients to perform the data filtering.Since APIs are used as data sources, sometimes developers try to implement them in a generic way without thinking about the sensitivity of the exposed data. Automatic tools usually can’t detect this type of vulnerability because it’s hard to differentiate between legitimate data returned from the API and sensitive data that should not be returned without a deep understanding of the application. | Improper Data Filtering commonly leads to exposure of sensitive data. |
8
8
9
9
## Is the API Vulnerable?
10
10
11
+
There are two types of Improper Data Filtering:
12
+
13
+
***Client Side Data Filtering**: The API returns sensitive data to the client
14
+
by design. This data is usually filtered on the client side before being
15
+
presented to the user. An attacker can easily sniff the traffic and see the
16
+
sensitive data.
17
+
***Filter Manipulation**: the API performs data filtering in an unsafe manner
18
+
based on filters from the client. An attacker can send malicious filters
19
+
causing the API to return sensitive data they should not be exposed to.
20
+
11
21
## Example Attack Scenarios
12
22
13
23
### Scenario #1
14
24
15
-
The mobile team uses the `/api/articles/{articleId}/comments/{commendId}`
16
-
endpoint in the articles view to render some comments metadata. Sniffing the
17
-
mobile app traffic an attacker finds out that other sensitive data is also
18
-
returned. The endpoint implementation uses a generic `toJSON()` method on the
19
-
`User` model to serialize the object.
25
+
The mobile team uses the `/api/articles/{articleId}/comments/{commentId}`
26
+
endpoint in the articles view to render comments metadata. Sniffing the mobile
27
+
application traffic an attacker finds out that other sensitive data related to
28
+
comment’s author, is also returned. The endpoint implementation uses a generic
29
+
`toJSON()` method on the `User` model, which contains PII, to serialize the
30
+
object.
20
31
21
32
### Scenario #2
22
33
23
34
An open source team chat solution provides the endpoint `/api/v1/users.list`
24
35
which supports two parameters: `query` and `fields`. Using a regular user
25
-
account and manipulating both parameters an attacker can enumerate `admin`
26
-
accounts, exposing sensitive information such as the password reset token: `GET
0 commit comments