> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/api-sec/excessive-data-exposure.md). # Excessive Data Exposure ### API Documentation Understanding how to use API documentation is crucial for effective testing. API documentation typically includes sections like: 1. **Overview:** Provides a high-level introduction, authentication, and rate-limiting information. 2. **Functionality:** Describes actions using HTTP methods and endpoints. 3. **Request Requirements:** Specifies authentication, parameters, path variables, headers, and body information. #### API Documentation Conventions * **Path Variables:** Indicated by a colon (`:`) or curly brackets (`{}`) in the endpoint. Example: `/user/:id` or `/user/{id}`. * **Optional Input:** Square brackets (`[]`) indicate optional input. Example: `/api/v1/user?find=[name]`. * **Multiple Values:** Double bars (`|`) represent different possible values. Example: `"blue" | "green" | "red"`. Understanding these conventions helps in creating well-formed requests and troubleshooting. ### Using Swagger Editor with crAPI 1. Import crAPI Swagger file into Swagger Editor. 2. Visualize API endpoints, parameters, request body, and example responses. 3. Explore various paths and understand object key naming schemes. ### Editing Postman Collection Variables 1. Access collection editor in Postman. 2. Check and update collection variables, especially the `baseUrl`. ### Updating Postman Collection Authorization 1. Use the Authorization tab in the collection editor. 2. Select the appropriate authorization type (e.g., Bearer Token). 3. Obtain a Bearer Token through authentication and update the collection. ### Excessive Data Exposure #### Ingredients: * Response includes more information than requested. * Sensitive information is exposed. #### Example: **Request** ```http GET /api/v1/user?=CloudStrife ``` **Response** ```json 200 OK HTTP 1.1 {"id": "5501", "fname": "Cloud", "lname": "Strife", "privilege": "user", "representative": [ {"name": "Don Coreneo", "id": "2203", "email": "dcorn@gmail.com", "privilege": "admin", "MFA": false } ]} ``` In this example, sensitive information about an administrator is exposed along with the requested user's information. #### Identifying Excessive Data Exposure in crAPI 1. Explore GET requests in crAPI Swagger. 2. Check the `GET /identity/api/v2/user/dashboard` request. 3. Identify interesting object key names (e.g., "id", "name", "email"). 4. Explore other endpoints, e.g., `GET /community/api/v2/community/posts/recent`. 5. Use Burp Suite's Repeater to intercept API requests and reveal sensitive information. Understanding API documentation, conventions, and identifying excessive data exposure vulnerabilities are crucial steps in API security testing. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/api-sec/excessive-data-exposure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.