\textit{Excessive Data Exposure}(EDE), which means APIs return data not utilized by web applications, has emerged as a critical security threat, ranking third among OWASP’s top API vulnerabilities in 2023. Existing detection methods primarily rely on black-box testing, which limits detection accuracy due to the underutilization of available public information, such as client-side source code, and results in high time costs. Moreover, this domain’s lack of standardized datasets hinders systematic comparative evaluations among different detection methods.

To address these challenges, we developed Mockingbird, a hybrid detection framework that integrates dynamic instrumentation and static analysis with enhanced test oracles. Mockingbird leverages the Chrome DevTools Protocol to control browsers, monitor requests, and recursively instrument responses. It then tracks the propagation paths of response values to analyze whether these data are genuinely used, enabling rapid and precise identification of excessively exposed data.

Furthermore, to facilitate advancement in this field, we constructed EDEBench, the first dedicated benchmark dataset for EDE detection, featuring five diverse open-source web projects. On EDEBench, Mockingbird demonstrates superior performance, achieving an average F1-Score of 92.20% (Precision: 93.03%, Recall: 91.39%). This represents a substantial improvement over the baseline black-box tool, particularly in the recall, where Mockingbird surpassed it by over 33 percentage points. Critically, Mockingbird’s detection efficiency is also transformative, with an average detection time of approximately 30 seconds for a significant number of fields, which is about 200 times faster than the baseline. This research contributes a novel grey-box methodology and substantial empirical support for its application in API security testing.