Mitigating OWASP API Security Risk: Excessive Data Exposure using F5 XC Platform

This is part of the OWASP API Security TOP 10 mitigation series, and you can refer here for an overview of these categories and F5 Distributed Cloud Platform (F5 XC) Web Application and API protection (WAAP). 

 

Introduction to Excessive Data Exposure: 

Application Programming Interfaces (APIs) are the foundation stone of modern evolving web applications which are driving the digital world. They are part of all phases in product development life cycle, starting from design, testing to end customer using them in their day-to-day tasks. Since they don’t have restrictions in place, sometimes APIs expose sensitive data such as Personally Identifiable Information (PII), Credit Card Numbers (CCN) and Social Security Numbers (SSN), etc. Because of these issues, they are the most exploited blocks in cybercrime to gain access to customer information which can be sold or further used in other exploits like credential stuffing, etc.  

Most of the time, the design stage doesn't include this security perspective and relies on 3rd party tools to perform sanitization of the data before displaying the results to customers. Identifying the sensitive information in these huge chunks of API response data is sophisticated and most of the available security tools in the market don't support this capability. So instead of relying on third party tools it’s recommended to follow shift left strategies and add security as part of the development phase. During this phase, developers must review and ensure that the API returns only required details instead of providing unnecessary properties to avoid sensitive data exposure. 

 

Excessive data exposure attack scenario:  

To showcase this category, we are exposing sensitive details like CCN and SSN in one of the product reviews of Juice shop application (refer links for more info) as below -  

Fig 1: App UI exposing PII Fig 2: Postman showing PII data in one of the API

 

Overview of Data Guard: 

Data Guard is F5 XC load balancer feature which shields the responses from exposing sensitive information like CCN/SSN by masking these fields with a string of asterisks (*). Depending on the customer's requirement, they can have multiple rules configured to apply or skip processing for certain paths and routes. 

 

Preventing excessive data exposure using F5 Distributed Cloud:   

Step1: Create origin pool – Refer here for more information 

Step2: Create Web Application Firewall policy (WAF) - Refer here for details 

Step3: Create https load balancer (LB) with above created pool and WAF policy - Refer here for more information 

Step4: Upload your application swagger file and add it to above load balancer – Refer here for more details 

Step5: Configure Data Guard on the load balancer with action and path as below 

Fig 3: Load balancer configurationFig 4: Dataguard configuration

Step6: Validate the sensitive data is masked 

  1. Open postman/browser, check the product reviews section/API and validate these details are hidden and not exposed as in original application 
    Fig 5: Postman confirming PII data being masked Fig 6: Postman API confirming CCN numbers being masked
  2. In Distributed Cloud Console expand the security event and check the WAF section to understand the reason why these details are masked as below:  
    Fig 7: Security event details confirming this vulnerability

 

Conclusion:  

CCN and SSN are sensitive information mapping to the identity of a specific individual and protecting this critical data is a necessity in this digital world. In this article we have demonstrated how F5 XC Distributed Cloud Platform can prevent these sensitive data exposures using data guard. 

 

For further information check the links below: 

  1. OWASP API Security - Excessive Data Exposure 
  2. OWASP API Security – Overview article 
  3. F5 XC Data Guard Overview 
  4. OWASP Juice Shop 
Updated Jun 22, 2023
Version 3.0
  • Great article Janibasha ! It will be great if XC Data Guard can also support custom regex expressions as I see some use cases for this. I think the new F5 XC API Discovery sensitive data feature supports custom patterns and I think it could be easy to add this also to Data Guard. Maybe also triggering Malicius users with Data Guard not in Blocking mode as for some strings that are not so sensitve but someone is getting this sting many times, they could be doing an attack 😃

  • Nikoolayy1 thanks for your feedback.

    Yes you are right and we have the support to detect some of the known PII info like shown below in API Discovery or we can have our own custom regex.

    As per my understanding custom regex masking support in dataguard is in future pipeline and will update once it's implemented.