Hidden in Plain Site - Disclosing Information via Your APIs - Peter Yaworski, Bugcrowd's LevelUp 2017

Explore information disclosure vulnerabilities in APIs and HTML page sources often overlooked by researchers in mature programs. Learn about the design pattern in Rails that makes these vulnerabilities easy to introduce, especially when combined with front-end JavaScript libraries like React or Angular. Discover how to identify and exploit these vulnerabilities through real-world examples, including customer ID exposure and private address leaks. Gain insights into why these issues occur and how to prevent them in your own applications. Perfect for security researchers, developers, and anyone interested in improving API security.

Introduction
About Peter Yaworski
Agenda
What is API
Why we care
Why this happens
Rails example
Removing information from view
The JSON file
The handy method merge
Adding a sensitive parameter
Personal anecdote
How do we find it
Examples
Customer ID
Vulnerability
Private Address
Wrapup