Mitigating OWASP API Security Risk: Excessive Data Exposure using F5 XC Platform

This is part of the OWASP API Security TOP 10 mitigation series, and you can refer here for an overview of these categories and F5 Distributed Cloud Platform (F5 XC) Web Application and API protection (WAAP).

Introduction to Excessive Data Exposure

Application Programming Interfaces (APIs) are the foundation stone of modern evolving web applications which are driving the digital world. They are part of all phases in product development life cycle, starting from design, testing to end customer using them in their day-to-day tasks. Since they don't have restrictions in place, sometimes APIs expose sensitive data such as Personally Identifiable Information (PII), Credit Card Numbers (CCN) and Social Security Numbers (SSN), etc. Because of these issues, they are the most exploited blocks in cybercrime to gain access to customer information which can be sold or further used in other exploits like credential stuffing, etc.

Most of the time, the design stage doesn't include this security perspective and relies on 3rd party tools to perform sanitization of the data before displaying the results to customers. Identifying the sensitive information in these huge chunks of API response data is sophisticated and most of the available security tools in the market don't support this capability. So instead of relying on third party tools it's recommended to follow shift left strategies and add security as part of the development phase. During this phase, developers must review and ensure that the API returns only required details instead of providing unnecessary properties to avoid sensitive data exposure.

Excessive data exposure attack scenario-1

To showcase this category, we are exposing sensitive details like CCN and SSN in one of the product reviews of Juice shop application (refer links for more info) as below -

sFig 1: App UI exposing PIIFig 2: Postman showing PII data in one of the API

Overview of Data Guard:

Data Guard is F5 XC load balancer feature which shields the responses from exposing sensitive information like CCN/SSN by masking these fields with a string of asterisks (*). Depending on the customer's requirement, they can have multiple rules configured to apply or skip processing for certain paths and routes.

Preventing excessive data exposure using F5 Distributed Cloud

  • Step1: Create origin pool - Refer here for more information
  • Step2: Create Web Application Firewall policy (WAF) - Refer here for details
  • Step3: Create https load balancer (LB) with above created pool and WAF policy - Refer here for more information
  • Step4: Upload your application swagger file and add it to above load balancer - Refer here for more details
  • Step5: Configure Data Guard on the load balancer with action and path as below
Fig 3: Load balancer configurationFig 4: Dataguard configuration
  • Step6: Validate the sensitive data is masked
  1. Open postman/browser, check the product reviews section/API and validate these details are hidden and not exposed as in original application
    Fig 5: Postman confirming PII data being maskedFig 6: Postman API confirming CCN numbers being masked
  2. In Distributed Cloud Console expand the security event and check the WAF section to understand the reason why these details are masked as below:
    Fig 7: Security event details confirming this vulnerability

Excessive data exposure attack scenario-2

In this demonstration we are using an API based vulnerable application VAmPI (VAmPI is a vulnerable API made with Flask, and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs, for more info follow the repo link).

Follow below steps to bring up the setup:

  • Step1: Host the VAmPI application inside a virtual machine
  • Step2: Login to XC console, create a HTTP LB and add the hosted application as an origin server
  • Step3: Access the application to check its availability.

 

  • Step4: Now enable API Discovery and configure sensitive data discovery policy by addingall the compliance frameworks in your HTTP LB config.

 

  • Step5: Hit the vulnerable API Endpoint '/users/v1/_debug' exposing sensitive data like username, password etc.

 

  • Step6: Navigate to security overview dashboard in the XC console and select the API Endpoints tab. Check for vulnerable endpoint details.
  • Step7: In the Sensitive Data section, click Ellipsis on the right side to get options for action.
  • Step8: Clicking on the option 'Add Sensitive Data Exposure Rule' will automatically add the entries for sensitive data exposure rule to your existing LB configs. Apply the configuration.

 

  • Step9: Now again, hit the vulnerable API Endpoint '/users/v1/_debug'

Here in the above image, you can see masked values in the response. All letters changed to 'a' and number is converted to '1'.

  • Step10: Optionally you can also manually configure sensitive data exposure rule by adding details about the vulnerable API endpoint.
    • Login back to XC console
    • Start configuring API Protection rule in the created HTTP LB
    • Click Configure in the Sensitive Data Exposure Rules section.
    • Click Add Item to create the first rule.
    • In the Target section, enter the path that will respond to the request. Also enter one or more methods with responses containing sensitive information.
    • In the Values field in Pattern section, enter the JSON field value you want to mask.
    • For example, to mask all emails in the array users, enter “users[_].email”. Note that an underscore between the square brackets indicates the array's elements.
    • Once the above rule gets applied, values in the response will be masked as follows: All letters will change to a or A (matching case) and all numbers will convert to 1.
    • Click Apply to save the rule to the list of Sensitive Data Exposure Rules.
    • Optionally, Click Add Item to add more rules.
    • Click Apply to save the list of rules to your load balancer.

 

  • Step11: After the completion of Step10, Hit back the vulnerable API Endpoint.

Here also in the above image, you can see masked values in the response as per the configurations done in Step 10.

Conclusion

As we have seen in the above use cases sensitive data exposure occurs when an application does not protect sensitive data like PII, CCN, SSN, Auth Credentials etc. Leaking of such information may lead to serious consequences. Hence it becomes extremely critical for organizations to reduce the risk of sensitive data exposure. As demonstrated above, F5 Distributed Cloud Platform can help in protecting the exposure of such sensitive data with its easy to use API Security solution offerings.

For further information check the links below

  1. OWASP API Security - Excessive Data Exposure
  2. OWASP API Security - Overview article
  3. F5 XC Data Guard Overview
  4. OWASP Juice Shop
  5. VAmPI
Updated May 14, 2025
Version 5.0
cloud
devops
F5 Distributed Cloud
F5 Distributed Cloud WAAP
OWASP-API-Security
security
series-f5-distributed-cloud
series-owasp-oat
Verified Designs

2 Comments

Sort By
  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Dec 14, 2023

    Great article Janibasha ! It will be great if XC Data Guard can also support custom regex expressions as I see some use cases for this. I think the new F5 XC API Discovery sensitive data feature supports custom patterns and I think it could be easy to add this also to Data Guard. Maybe also triggering Malicius users with Data Guard not in Blocking mode as for some strings that are not so sensitve but someone is getting this sting many times, they could be doing an attack 😃

  • Janibasha's avatar
    Janibasha
    Icon for Employee rankEmployee
    Dec 14, 2023

    Nikoolayy1 thanks for your feedback.

    Yes you are right and we have the support to detect some of the known PII info like shown below in API Discovery or we can have our own custom regex.

    As per my understanding custom regex masking support in dataguard is in future pipeline and will update once it's implemented.