AppSecNotes
Excessive Data Exposure
  • Some endpoints sometimes reveal sensitive data unnecessarily. That data might be useful for exploiting a vulnerability or might reveal PII (personally identifiable information).
  • Analyse all the GET responses in the web app what might be exposing private information.
  • If the data cannot be used to exploit vulnerabilities, see if PII can be reported in a bug bounty program. It is always better to try and prove the impact of all the findings.