API Console → customer-profile service / response inspector
Request
GET /v1/customers/248019/profile HTTP/1.1 Host: api.cyber-demo.net Authorization: (none) X-Client: web-test
Result
HTTP 200 OK
{ "customer_name": "Wang C***", "account_mask": "8129****44", "branch_code": "TPE-07", "last_txn": "POS-51XX", "mobile": "09**-***-221" }
Security Findings
未帶 Authorization header 仍可取得客戶資料
參數僅變更 customer id,即可查詢不同客戶資訊
Response 欄位超出最低必要揭露範圍
Analyst Prompt
這是未驗證、未授權,還是越權存取?
是否應立即下架端點或加 WAF / API Gateway 限制?
是否需通知開發、資安與法遵共同評估?