Excessive Data Exposure
API endpoints returning full database objects with sensitive fields instead of only the fields the client actually needs, exposing password hashes, internal IDs, admin flags, and other sensitive data.
How It Works
When you return the raw database record, you return everything — including passwordHash, internalNotes, isAdmin, stripeCustomerId. The frontend might only display the name and avatar, but the full object is in the network response for anyone who opens DevTools. Attackers read it directly from the API response.
// BAD: returning the raw database object
export async function GET(req: Request) {
const user = await db.users.findUnique({ where: { id: userId } });
return Response.json(user); // includes passwordHash, isAdmin, stripeId...
}// GOOD: explicitly select and return only needed fields
export async function GET(req: Request) {
const user = await db.users.findUnique({
where: { id: userId },
select: { id: true, name: true, email: true, avatarUrl: true }
});
return Response.json(user);
}Real-World Example
OWASP API Security Top 10 has listed Excessive Data Exposure since 2019 as one of the most common API vulnerabilities. In 2021, a major US healthcare API was found returning full patient records (including SSN and insurance details) in responses that only needed to show appointment dates.
How to Prevent It
- Always use Prisma's select or ORM field projection to return only needed fields
- Create response DTOs (Data Transfer Objects) that explicitly define what's returned
- Never return raw database objects from API endpoints
- Add a code review rule: every API response must be audited for sensitive field leakage
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
API Documentation Exposed in Production
lowSwagger UI, ReDoc, or other API documentation interfaces publicly accessible in production, giving attackers a free interactive map of every endpoint, parameter, and authentication method.
GraphQL Introspection Enabled in Production
mediumGraphQL introspection is left enabled in production, allowing anyone to query the complete schema and discover all types, fields, mutations, and their argument structures.
GraphQL Without Query Depth Limit
mediumGraphQL API with no depth limit on nested queries, allowing attackers to craft deeply nested queries that exhaust server resources and cause denial of service.
GraphQL Batching Attack
mediumGraphQL endpoints accepting arrays of operations without size limits, enabling attackers to bypass rate limiting by bundling thousands of requests into a single HTTP call.