Excessive Data Exposure
API3-Broken Object Property Level Authorization (BOPLA)
API Documentation
Understanding how to use API documentation is crucial for effective testing. API documentation typically includes sections like:
Overview: Provides a high-level introduction, authentication, and rate-limiting information.
Functionality: Describes actions using HTTP methods and endpoints.
Request Requirements: Specifies authentication, parameters, path variables, headers, and body information.
API Documentation Conventions
Path Variables: Indicated by a colon (
:
) or curly brackets ({}
) in the endpoint. Example:/user/:id
or/user/{id}
.Optional Input: Square brackets (
[]
) indicate optional input. Example:/api/v1/user?find=[name]
.Multiple Values: Double bars (
|
) represent different possible values. Example:"blue" | "green" | "red"
.
Understanding these conventions helps in creating well-formed requests and troubleshooting.
Using Swagger Editor with crAPI
Import crAPI Swagger file into Swagger Editor.
Visualize API endpoints, parameters, request body, and example responses.
Explore various paths and understand object key naming schemes.
Editing Postman Collection Variables
Access collection editor in Postman.
Check and update collection variables, especially the
baseUrl
.
Updating Postman Collection Authorization
Use the Authorization tab in the collection editor.
Select the appropriate authorization type (e.g., Bearer Token).
Obtain a Bearer Token through authentication and update the collection.
Excessive Data Exposure
Ingredients:
Response includes more information than requested.
Sensitive information is exposed.
Example:
Request
Response
In this example, sensitive information about an administrator is exposed along with the requested user's information.
Identifying Excessive Data Exposure in crAPI
Explore GET requests in crAPI Swagger.
Check the
GET /identity/api/v2/user/dashboard
request.Identify interesting object key names (e.g., "id", "name", "email").
Explore other endpoints, e.g.,
GET /community/api/v2/community/posts/recent
.Use Burp Suite's Repeater to intercept API requests and reveal sensitive information.
Understanding API documentation, conventions, and identifying excessive data exposure vulnerabilities are crucial steps in API security testing.
Last updated