Api Sensitive Fields Unmasked
Description
This detector identifies API endpoints that expose sensitive data fields in their JSON responses without proper masking or redaction. When APIs return unmasked sensitive information like passwords, credit card numbers, or social security numbers, it creates a significant data exposure risk that could lead to privacy violations and compliance issues.
Detection Strategy
• Makes HTTP requests to API endpoints and examines JSON responses for sensitive field exposure
• Parses the response body as JSON and walks through all field-value pairs
• Checks if any field names match predefined sensitive field patterns (like 'password', 'ssn', 'credit_card', etc.)
• Validates that the values associated with sensitive fields contain actual exposed data rather than masked/redacted placeholders
• Reports a vulnerability when sensitive fields are found with unmasked, real values in the API response
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.