exploiting-excessive-data-exposure-in-api

Featured

Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching.

API & Backend 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Exploiting Excessive Data Exposure in API ## When to Use - Testing APIs where the frontend displays a subset of data but the API response includes additional fields - Assessing mobile application APIs where responses are designed for multiple client types and may contain excess data - Identifying PII leakage in API responses that include email addresses, phone numbers, SSNs, or payment data not shown in the UI - Testing GraphQL APIs where clients can request arbitrary fields including sensitive attributes - Evaluating APIs after microservice refactoring where internal service-to-service data leaks into public endpoints **Do not use** without written authorization. Data exposure testing involves capturing and analyzing potentially sensitive personal data. ## Prerequisites - Written authorization specifying target API endpoints and scope - Burp Suite Professional or mitmproxy configured as intercepting proxy - Two test accounts at different privilege levels (regular user and admin) - Browser developer tools or mobile proxy setup for traffic capture - Python 3.10+ with `requests` and `json` libraries - API documentation (OpenAPI spec) for comparison against actual responses > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1: Response Schema Discovery Compare documented A...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

GraphQL · API

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

testing-for-sensitive-data-exposure

Identifying sensitive data exposure vulnerabilities including API key leakage, PII in responses, insecure storage, and unprotected data transmission during security assessments.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-broken-object-property-level-authorization

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks.

12,642 Updated today
mukul975
API & Backend Featured

exploiting-api-injection-vulnerabilities

Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP injection, and Server-Side Request Forgery (SSRF) through API parameters, headers, and request bodies. The tester crafts malicious payloads targeting different backend technologies and injection contexts to extract data, execute commands, or access internal services. Maps to OWASP API8:2023 Security Misconfiguration and API7:2023 SSRF. Activates for requests involving API injection testing, SQLi in APIs, NoSQL injection, SSRF testing, or API input validation assessment.

12,642 Updated today
mukul975
API & Backend Featured

exploiting-mass-assignment-in-rest-apis

Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, and bypass authorization controls by injecting unexpected parameters in API requests.

12,642 Updated today
mukul975
API & Backend Listed

api-breaker

Automated API security testing starting from domains. Discovers REST, GraphQL, and SOAP APIs, reconstructs schemas, and tests for BOLA/IDOR, BFLA, mass assignment, JWT attacks, rate limiting bypass, and business logic flaws. Use when user asks to "test API security", "break API", "find API vulnerabilities", "test GraphQL", "test JWT", "API pentest", or provides domains with API endpoints. For authorized testing only.

31 Updated today
KaQus