Many APIs tend to return all data fields within an object, expecting the client to filter and show the data it needs. This data exposure can aid in attacking the application or lead to data breaches. For example, returning all the personal information with a user object with every request or exposing an “admin” field an attacker may try to manipulate using other means. Look for API methods that return raw objects from the ORM with all fields included.