Vulnerability Details
Severity:
Medium
Category:
API
Description
API endpoints return more data than necessary for the client's needs, relying on the client-side to filter sensitive information rather than filtering at the server level.
Risks
An attacker can intercept API responses to access sensitive data fields that are sent but not displayed in the UI, such as internal IDs, email addresses, or personal information.
Remediation
Implement server-side response filtering to return only required fields. Use different response schemas per endpoint and user role. Never rely on client-side filtering for security. Review all API responses for unnecessary data exposure.