I am going to share the common mistake of Web API. When I was a software developer a long time ago, We need to develop effective code by doing function or code reusable as much as possible in order not to redevelop things again and again.
Usually, with the above mindset, the developer will often create a huge function to handle anything to return data. Later, the data produced by that function will be filtered out again as needed. For example, getting the user profile function will return all user details (name, email address, phone, password), but the actual needs only show the name.
Lets see the sample below
There is an http API called to feed the information in the mobile apps GUI to show the username and his comments on the post
But after checking the server response from that API call, I found that it returned more data than I need, such as Lastname, Email address and even Password.
There is a possibility that the developer wants to reuse the API code for several purposes, including the scenario mentioned to achieve effectiveness so that less code to be maintained. But from the perspective of security, it gives unnecessary data leakage because the adversaries could intercept the response from the API call by proxying it and see this in clear text
This is one reason we need to do Secure SDLC because two mindsets need to be mixed to achieve effective and secure code. Usually, the security analyst will be involved during the design phase and do a regular code review to assess the security.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 