A3: Excessive Data Exposure

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
everyone welcome back to the course. So in this video, we're gonna talk about the third item on the a wasp ap I security top 10 list, which is excessive data exposure.
00:10
So we're gonna talk about what it is. We'll also talk about ways that we can prevent or mitigate against it.
00:16
So what is excessive data exposure? As the name implies, it's when an attacker or someone else doesn't ap I call, and then basically they get more data than they should. So, for example, if I was an attacker, I do in a PR called directly. And then I get all sorts of sensitive data back
00:33
so we'll talk about ways that we can mitigate or prevent against this. So number one taking an inventory of what are our weaknesses in our A p I
00:43
and then also we want to think through what kind of response checks do we have in place? So as someone makes an a P, I call, we want to make sure that we trimmed down the response that they're getting to just what they actually need. Just the data that they actually need. We can also do things like defining Sheamus of R AP I responses as well as
01:00
assessing our air response is very important. One there.
01:06
We can also identify what is our sensitive data. So what kind of sense of data do we have and then justify, like, why is it actually being used? Why would we return that data in this particular AP I call
01:17
and then we can enforce thes response checks as well to help us prevent against data leakage. So accidental data leakage or exception leaks right where it Attackers trying to get additional information that they shouldn't.
01:32
So a quick, quick, quick question here it's important. It's not important. Excuse me to analyze their responses as part of excessive data exposure mitigation. Is that one true or false?
01:44
All right, if you guess false, you are correct. So again, assessing those air responses is an important thing because we want to make sure that when an attacker is attempting various ap I calls and trying to get more data from us, we don't want to give them extra information in the air response that they can then leverage to actually go get our data.
02:04
So in this video, we just talked about excessive data exposure. We talked about what it actually is. A swell as some ways to prevent or mitigate against it.
Up Next
Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By