A3: Excessive Data Exposure

00:00

everyone welcome back to the course. So in this video, we're gonna talk about the third item on the a wasp ap I security top 10 list, which is excessive data exposure.

00:10

So we're gonna talk about what it is. We'll also talk about ways that we can prevent or mitigate against it.

00:16

So what is excessive data exposure? As the name implies, it's when an attacker or someone else doesn't ap I call, and then basically they get more data than they should. So, for example, if I was an attacker, I do in a PR called directly. And then I get all sorts of sensitive data back

00:33

so we'll talk about ways that we can mitigate or prevent against this. So number one taking an inventory of what are our weaknesses in our A p I

00:43

and then also we want to think through what kind of response checks do we have in place? So as someone makes an a P, I call, we want to make sure that we trimmed down the response that they're getting to just what they actually need. Just the data that they actually need. We can also do things like defining Sheamus of R AP I responses as well as

01:00

assessing our air response is very important. One there.

01:06

We can also identify what is our sensitive data. So what kind of sense of data do we have and then justify, like, why is it actually being used? Why would we return that data in this particular AP I call

01:17

and then we can enforce thes response checks as well to help us prevent against data leakage. So accidental data leakage or exception leaks right where it Attackers trying to get additional information that they shouldn't.

01:32

So a quick, quick, quick question here it's important. It's not important. Excuse me to analyze their responses as part of excessive data exposure mitigation. Is that one true or false?

01:44

All right, if you guess false, you are correct. So again, assessing those air responses is an important thing because we want to make sure that when an attacker is attempting various ap I calls and trying to get more data from us, we don't want to give them extra information in the air response that they can then leverage to actually go get our data.