Many APIs return far more data than the client needs, relying on the frontend to filter what is displayed. This exposes sensitive fields to anyone intercepting the raw API response.
// API response for 'get current user profile'
{
"id": 42,
"username": "alice",
"email": "alice@example.com",
"display_name": "Alice",
// Fields below should NEVER be returned:
"password_hash": "$2b$12$...",
"ssn": "123-45-6789",
"internal_role": "admin",
"api_secret_key": "sk_live_..."
}The frontend only shows username and display_name — but the attacker sees everything in Burp Suite.
Verify exercises to earn ★ 140 XP and unlock next lab level.