Mockingbird: Efficient Excessive Data Exposures Detection via Dynamic Code Instrumentation

Excessive Data Exposure (EDE), where an API returns redundant data to the client beyond what is required for its functionality, has become a pervasive and severe security threat. However, automated detection techniques for such vulnerabilities remain underdeveloped, and existing methods, particularly black-box fuzzing, face significant bottlenecks in terms of accuracy and efficiency. To address these challenges, we propose Mockingbird, an automated detection tool based on a statically-assisted dynamic analysis approach. The tool leverages the JavaScript Proxy mechanism for efficient dynamic taint tracking to precisely identify the dangling data that is transmitted from an API response to the client but never consumed by any expected functionality, such as UI rendering or state management. Furthermore, to tackle the lack of a standardized benchmark in this domain, we have constructed and open-sourced EDEBench, the first persistent benchmark for EDE evaluation, comprising 8 popular open-source web projects built on diverse modern technology stacks. Experimental evaluation on EDEBench shows that, compared to the state-of-the-art, Mockingbird achieves an average F1-score improvement of 24.1% (Precision +15.8%, Recall +32.8%), enhances detection speed by nearly 20 times, and demonstrates broad applicability across all tested frameworks. These results provide a clear illustration of our tool’s accuracy, applicability, and efficiency. The source code is available at https://github.com/NeoSunJZ/Mockingbird-JS.