How do you test for sensitive data exposure in API responses and application logs?

Sensitive data exposure (OWASP A02 Cryptographic Failures, formerly A03) occurs when an application stores or transmits sensitive data in plaintext or without appropriate protection.

API response testing:

• Intercept every response from endpoints that handle user data. Use a proxy (Charles, Proxyman) or the browser's network panel.
• For each field that should be masked (card number, CVV, full SSN, plain-text password), assert the field is either absent or masked (e.g. last four digits only for cards: ****-****-****-1234).
• Test GET endpoints that return user profile data — look for fields the frontend doesn't display but the API returns (a "hidden" field that's still in the JSON is exposed data).
• Test error responses: a 422 or 500 that includes a stack trace, database query, or internal path is a finding.

Log testing:

• In a test environment with log access, perform a login, a payment, or a user update operation.
• Search the logs for the exact values you submitted: the password, the card number, the full SSN.
• Logs must not contain any of these. Logging the user ID, the action, and a status code is fine; logging the password or full PAN is a critical finding.

Frontend bundle check:

• Search the compiled JavaScript bundle for API keys, database connection strings, and admin credentials hardcoded during development. grep -r 'api_key|secret|password' dist/
• These are among the most commonly found critical findings in real applications.