What is VAPT and why does my business need it?

VAPT (Vulnerability Assessment and Penetration Testing) is a security audit that identifies weaknesses in your website, application, or infrastructure before attackers can exploit them. Every business that handles customer data, processes payments, or operates web-facing applications needs regular VAPT scans — especially with the DPDP Act now mandating 'reasonable security safeguards' for all data fiduciaries in India.

How much does penetration testing cost in India?

Traditional penetration testing in India costs ₹25,000 to ₹5,00,000+ depending on scope. Bachao.AI offers AI-powered VAPT starting with a free scan, with detailed reports from ₹4,999. Our automated approach delivers the same depth as manual testing at a fraction of the cost, making enterprise-grade security accessible to startups and SMBs.

Is VAPT mandatory under the DPDP Act 2023?

The DPDP Act requires all Data Fiduciaries to implement 'reasonable security safeguards' to protect personal data. While VAPT is not explicitly named, it is the most widely accepted way to demonstrate compliance with this requirement. The Data Protection Board can impose penalties up to ₹250 crore for failure to implement adequate security measures. A VAPT report serves as documented proof of due diligence.

How long does a VAPT scan take?

Bachao.AI's automated VAPT scan typically completes in 1-2 hours depending on the size and complexity of your website or application. You receive a risk score and severity breakdown immediately. Detailed remediation reports with code-level fix suggestions are available within 24 hours for paid tiers.

Is the free VAPT scan really free? What's the catch?

Yes, the free scan is genuinely free — no credit card required, no sales calls afterwards. You get a risk score, severity breakdown, and your top critical findings at zero cost. The free scan uses the same tools and methodology as our paid reports. We offer it because we believe every Indian business deserves to know their security posture. Paid reports add detailed remediation steps, authenticated deep scans, and code-level fix suggestions.

How is my scan data secured?

Each scan runs in an isolated microVM with hardware-level separation — the same technology AWS Lambda uses. Scan artifacts are encrypted at rest (AES-256) and purged after 90 days by default. Reports are stored with end-to-end encryption. We never share scan data with third parties.

Angular ReDoS Vulnerability: How Indian Startups Can Protect Their Web Apps

What Happened

In March 2023, security researchers identified a Regular Expression Denial of Service (ReDoS) vulnerability in Angular versions 1.0.0 and above, tracked as CVE-2023-26117. The vulnerability exists in Angular's $resource service, which uses an insecure regular expression pattern that can be exploited through carefully-crafted input to cause catastrophic backtracking.

When an attacker sends a specially designed payload to an Angular application, the regex engine enters a state of exponential backtracking—consuming CPU cycles until the application becomes unresponsive. This isn't a data breach vulnerability; it's a Denial of Service (DoS) attack that can crash your entire web application.

Angular 1.x, despite being released over a decade ago, remains embedded in thousands of legacy web applications across India—from fintech platforms to e-commerce startups to government-facing portals. Many Indian businesses never migrated to Angular 2+ because their systems "worked fine," making them unknowingly exposed to this flaw.

Originally reported by NIST NVD

Why This Matters for Indian Businesses

Let me be direct: if you're running an Angular 1.x application in India, you need to pay attention to this.

First, the regulatory angle. Under the Digital Personal Data Protection (DPDP) Act, 2023, Indian businesses are required to maintain reasonable security measures to protect personal data. A ReDoS attack that crashes your application and prevents legitimate users from accessing their data could be interpreted as a failure to maintain availability—a key pillar of the DPDP Act. If users' personal data becomes inaccessible due to a preventable vulnerability, you're opening yourself to regulatory scrutiny.

Second, CERT-In (Indian Computer Emergency Response Team) expects you to report cybersecurity incidents within 6 hours of discovery. If a ReDoS attack brings down your service, you're legally required to notify CERT-In. The notification process itself is burdensome, and the incident becomes part of your compliance record.

Third, there's the business impact. In my years building enterprise systems, I've seen how a single ReDoS attack can take down a critical service for hours. For an Indian SaaS startup or fintech platform, that's lost revenue, lost customer trust, and potential churn. For a payment gateway or lending platform, it's regulatory penalties under RBI guidelines.

Fourth, attackers are already scanning for this. Shodan, Censys, and other internet-wide scanners can identify Angular 1.x applications. Malicious actors routinely test for known vulnerabilities in publicly exposed services. If your application is vulnerable, it's only a matter of time before someone tests it.

Technical Breakdown

Let's dive into how this vulnerability works.

Angular's $resource service is used to interact with RESTful backends. Internally, it constructs URLs and parses responses using regular expressions. The vulnerable regex pattern looks something like this:

javascript

// Simplified vulnerable pattern (actual code is more complex)
var URL_MATCH = /^([^:/?#]+:)?(\/\/([^/?#]*))?(([^?#]*)?(\?([^#]*))?(#(.*))?)?$/;

This pattern is designed to parse URLs. However, when given a specially-crafted input with many repeated characters and no matching end delimiter, the regex engine attempts to match in exponentially increasing ways. This is called catastrophic backtracking.

Here's a concrete example:

javascript

// Vulnerable Angular 1.x code
var testInput = "a".repeat(50000) + "b"; // 50,000 'a's followed by 'b'
// The regex tries to match this in millions of ways
// Each attempt fails, causing exponential backtracking
// CPU usage spikes to 100%, application freezes

When an attacker sends this payload to your Angular application—either through a URL parameter, POST body, or API request—the application's JavaScript engine gets stuck trying to match the regex. The browser tab or Node.js process becomes unresponsive. If this is your production API, your entire service goes down.

Here's the attack flow:

graph TD
    A[Attacker crafts malicious input] -->|e.g., 50K repeated chars| B[Sends payload to Angular app]
    B -->|via URL/API/POST| C[Angular $resource processes input]
    C -->|triggers vulnerable regex| D[Catastrophic backtracking begins]
    D -->|exponential CPU consumption| E[Application becomes unresponsive]
    E -->|service unavailable| F[Users cannot access application]
    F -->|6-hour CERT-In notification required| G[Regulatory & business impact]

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

How to Protect Your Business

Step 1: Identify If You're Vulnerable

First, check if your application uses Angular 1.x:

bash

# Check your package.json
grep -i "angular" package.json

# Look for versions like 1.0.0 - 1.6.x
# If you see "angular": "^1.x.x" or similar, you're at risk

If you're running Angular 1.x, you're potentially vulnerable.

Step 2: Upgrade Angular (Preferred Solution)

The best fix is to upgrade to Angular 2.0 or higher, where this vulnerability has been addressed. However, I understand this isn't always feasible for legacy systems.

bash

# Update to latest stable Angular version
npm install --save @angular/core@latest
npm install --save @angular/common@latest

# Test your application thoroughly
npm test
npm run build

Step 3: Patch the Vulnerable Regex (If Upgrade Isn't Possible)

If you cannot upgrade immediately, you can patch the vulnerable regex in your Angular 1.x codebase:

javascript

// In your Angular application, override the vulnerable $resource service
app.factory('$resource', function($http, $q) {
  // Use a non-backtracking regex or limit input length
  return function(url, paramDefaults, actions) {
    // Validate input length before processing
    if (typeof url === 'string' && url.length > 2048) {
      throw new Error('URL exceeds maximum length');
    }
    // Continue with original $resource logic
    // ... rest of implementation
  };
});

Step 4: Implement Input Validation

Add server-side validation to reject excessively long or malformed inputs:

javascript

// Node.js / Express example
app.use((req, res, next) => {
  // Limit request body size
  if (req.body && JSON.stringify(req.body).length > 10000) {
    return res.status(400).json({ error: 'Payload too large' });
  }
  
  // Validate URL parameters
  for (let [key, value] of Object.entries(req.query)) {
    if (value && value.length > 2048) {
      return res.status(400).json({ error: 'Parameter too long' });
    }
  }
  
  next();
});

Step 5: Monitor for ReDoS Attacks

Set up monitoring to detect when your application is under ReDoS attack:

bash

# Monitor CPU usage and response times
# Alert if CPU > 80% for > 5 seconds
# Alert if response time > 5 seconds

# Example with curl (test locally only)
curl -X GET "http://localhost:8080/api/resource?id=$(python3 -c 'print("a"*50000)')" --max-time 5

Quick Fix: Immediate Mitigation

If you can't patch immediately, implement this rate-limiting middleware:

bash

# Install express-rate-limit
npm install express-rate-limit

javascript

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 1 * 60 * 1000, // 1 minute
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again later.'
});

// Apply to all routes
app.use(limiter);

// Or apply to specific routes
app.get('/api/resource', limiter, (req, res) => {
  // Your handler
});

How Bachao.AI Would Have Prevented This

This is exactly why I built Bachao.AI—to make enterprise-grade security accessible to Indian SMBs who don't have dedicated security teams.

Here's how our platform would have caught this vulnerability:

VAPT Scan (Vulnerability Assessment & Penetration Testing)

How it helps: Our automated VAPT scanner identifies known CVEs in your dependencies, including CVE-2023-26117 in Angular 1.x
What you'd see: A report flagging "Angular 1.x with ReDoS vulnerability" with severity level and remediation steps
Cost: Free tier available; comprehensive scan at ₹1,999
Time to detect: Scan completes in 5-10 minutes

bash

# Bachao.AI VAPT scan equivalent (using open-source tools)
npm audit
# Shows: "Regular Expression Denial of Service in angular"

API Security (REST/GraphQL vulnerability scanning)

How it helps: If your Angular app exposes APIs, our scanner tests for ReDoS vulnerabilities by sending crafted payloads
What you'd see: Real-time alerts if your API becomes unresponsive due to malicious input
Cost: Included in comprehensive VAPT package
Time to detect: Real-time during scan

Incident Response (24/7 breach response)

How it helps: If a ReDoS attack brings down your service, our team helps with CERT-In notification (mandatory within 6 hours under Indian law)
What you'd get: Incident timeline, root cause analysis, and regulatory compliance documentation
Cost: ₹5,000-15,000 depending on severity
Response time: 30 minutes for initial assessment

What You Should Do Right Now

Check your dependencies: Run npm audit or pip freeze | grep angular to see if you're running Angular 1.x
Plan an upgrade: If you're on Angular 1.x, schedule a migration to Angular 2+ (or a modern alternative)
Scan your codebase: Use Bachao.AI's free VAPT scan to identify all vulnerable dependencies
Implement input validation: Add the server-side checks shown above
Set up monitoring: Track CPU and response times to detect DoS attacks

The Bigger Picture

As someone who's reviewed hundreds of Indian SMB security postures, I can tell you this: most breaches and outages aren't due to sophisticated zero-days. They're due to known, patchable vulnerabilities like CVE-2023-26117 that teams simply didn't know about or deprioritized.

The DPDP Act, CERT-In mandate, and RBI guidelines aren't just compliance checkboxes—they exist because incidents like this have real consequences for businesses and their customers.

The good news? This vulnerability is 100% preventable. You don't need a team of security engineers. You need visibility into your dependencies and a plan to keep them updated.

That's what Bachao.AI does.

Book Your Free VAPT Scan →

Take 5 minutes to scan your application for CVE-2023-26117 and 500+ other known vulnerabilities. No credit card required.

This article was written by the Bachao.AI research team. We analyze cybersecurity incidents daily to help Indian businesses stay protected. Book a free security scan to check your exposure.

Originally reported by: NIST NVD (CVE-2023-26117)

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

Angular ReDoS Vulnerability: How Indian Startups Can Protect Their Web Apps

What Happened

Originally reported by NIST NVD

Why This Matters for Indian Businesses

Let me be direct: if you're running an Angular 1.x application in India, you need to pay attention to this.

Technical Breakdown

Let's dive into how this vulnerability works.

javascript

// Simplified vulnerable pattern (actual code is more complex)
var URL_MATCH = /^([^:/?#]+:)?(\/\/([^/?#]*))?(([^?#]*)?(\?([^#]*))?(#(.*))?)?$/;

Here's a concrete example:

javascript

// Vulnerable Angular 1.x code
var testInput = "a".repeat(50000) + "b"; // 50,000 'a's followed by 'b'
// The regex tries to match this in millions of ways
// Each attempt fails, causing exponential backtracking
// CPU usage spikes to 100%, application freezes

Here's the attack flow:

graph TD
    A[Attacker crafts malicious input] -->|e.g., 50K repeated chars| B[Sends payload to Angular app]
    B -->|via URL/API/POST| C[Angular $resource processes input]
    C -->|triggers vulnerable regex| D[Catastrophic backtracking begins]
    D -->|exponential CPU consumption| E[Application becomes unresponsive]
    E -->|service unavailable| F[Users cannot access application]
    F -->|6-hour CERT-In notification required| G[Regulatory & business impact]

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

How to Protect Your Business

Step 1: Identify If You're Vulnerable

First, check if your application uses Angular 1.x:

bash

# Check your package.json
grep -i "angular" package.json

# Look for versions like 1.0.0 - 1.6.x
# If you see "angular": "^1.x.x" or similar, you're at risk

If you're running Angular 1.x, you're potentially vulnerable.

Step 2: Upgrade Angular (Preferred Solution)

The best fix is to upgrade to Angular 2.0 or higher, where this vulnerability has been addressed. However, I understand this isn't always feasible for legacy systems.

bash

# Update to latest stable Angular version
npm install --save @angular/core@latest
npm install --save @angular/common@latest

# Test your application thoroughly
npm test
npm run build

Step 3: Patch the Vulnerable Regex (If Upgrade Isn't Possible)

If you cannot upgrade immediately, you can patch the vulnerable regex in your Angular 1.x codebase:

javascript

// In your Angular application, override the vulnerable $resource service
app.factory('$resource', function($http, $q) {
  // Use a non-backtracking regex or limit input length
  return function(url, paramDefaults, actions) {
    // Validate input length before processing
    if (typeof url === 'string' && url.length > 2048) {
      throw new Error('URL exceeds maximum length');
    }
    // Continue with original $resource logic
    // ... rest of implementation
  };
});

Step 4: Implement Input Validation

Add server-side validation to reject excessively long or malformed inputs:

javascript

// Node.js / Express example
app.use((req, res, next) => {
  // Limit request body size
  if (req.body && JSON.stringify(req.body).length > 10000) {
    return res.status(400).json({ error: 'Payload too large' });
  }
  
  // Validate URL parameters
  for (let [key, value] of Object.entries(req.query)) {
    if (value && value.length > 2048) {
      return res.status(400).json({ error: 'Parameter too long' });
    }
  }
  
  next();
});

Step 5: Monitor for ReDoS Attacks

Set up monitoring to detect when your application is under ReDoS attack:

bash

# Monitor CPU usage and response times
# Alert if CPU > 80% for > 5 seconds
# Alert if response time > 5 seconds

# Example with curl (test locally only)
curl -X GET "http://localhost:8080/api/resource?id=$(python3 -c 'print("a"*50000)')" --max-time 5

Quick Fix: Immediate Mitigation

If you can't patch immediately, implement this rate-limiting middleware:

bash

# Install express-rate-limit
npm install express-rate-limit

javascript

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 1 * 60 * 1000, // 1 minute
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again later.'
});

// Apply to all routes
app.use(limiter);

// Or apply to specific routes
app.get('/api/resource', limiter, (req, res) => {
  // Your handler
});

How Bachao.AI Would Have Prevented This

This is exactly why I built Bachao.AI—to make enterprise-grade security accessible to Indian SMBs who don't have dedicated security teams.

Here's how our platform would have caught this vulnerability:

VAPT Scan (Vulnerability Assessment & Penetration Testing)

How it helps: Our automated VAPT scanner identifies known CVEs in your dependencies, including CVE-2023-26117 in Angular 1.x
What you'd see: A report flagging "Angular 1.x with ReDoS vulnerability" with severity level and remediation steps
Cost: Free tier available; comprehensive scan at ₹1,999
Time to detect: Scan completes in 5-10 minutes

bash

# Bachao.AI VAPT scan equivalent (using open-source tools)
npm audit
# Shows: "Regular Expression Denial of Service in angular"

API Security (REST/GraphQL vulnerability scanning)

How it helps: If your Angular app exposes APIs, our scanner tests for ReDoS vulnerabilities by sending crafted payloads
What you'd see: Real-time alerts if your API becomes unresponsive due to malicious input
Cost: Included in comprehensive VAPT package
Time to detect: Real-time during scan

Incident Response (24/7 breach response)

How it helps: If a ReDoS attack brings down your service, our team helps with CERT-In notification (mandatory within 6 hours under Indian law)
What you'd get: Incident timeline, root cause analysis, and regulatory compliance documentation
Cost: ₹5,000-15,000 depending on severity
Response time: 30 minutes for initial assessment

What You Should Do Right Now

Check your dependencies: Run npm audit or pip freeze | grep angular to see if you're running Angular 1.x
Plan an upgrade: If you're on Angular 1.x, schedule a migration to Angular 2+ (or a modern alternative)
Scan your codebase: Use Bachao.AI's free VAPT scan to identify all vulnerable dependencies
Implement input validation: Add the server-side checks shown above
Set up monitoring: Track CPU and response times to detect DoS attacks

The Bigger Picture

The DPDP Act, CERT-In mandate, and RBI guidelines aren't just compliance checkboxes—they exist because incidents like this have real consequences for businesses and their customers.

The good news? This vulnerability is 100% preventable. You don't need a team of security engineers. You need visibility into your dependencies and a plan to keep them updated.

That's what Bachao.AI does.

Book Your Free VAPT Scan →

Take 5 minutes to scan your application for CVE-2023-26117 and 500+ other known vulnerabilities. No credit card required.

This article was written by the Bachao.AI research team. We analyze cybersecurity incidents daily to help Indian businesses stay protected. Book a free security scan to check your exposure.

Originally reported by: NIST NVD (CVE-2023-26117)

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

Angular ReDoS Vulnerability: How Indian Startups Can Protect Their

Angular ReDoS Vulnerability: How Indian Startups Can Protect Their Web Apps

What Happened

Why This Matters for Indian Businesses

Technical Breakdown

How to Protect Your Business

Step 1: Identify If You're Vulnerable

Step 2: Upgrade Angular (Preferred Solution)

Step 3: Patch the Vulnerable Regex (If Upgrade Isn't Possible)

Step 4: Implement Input Validation

Step 5: Monitor for ReDoS Attacks

Quick Fix: Immediate Mitigation

How Bachao.AI Would Have Prevented This

VAPT Scan (Vulnerability Assessment & Penetration Testing)

API Security (REST/GraphQL vulnerability scanning)

Incident Response (24/7 breach response)

What You Should Do Right Now

The Bigger Picture

Bachao.AI Research Team

Get cybersecurity insights for Indian SMBs

Related Articles

Dell VMware Storage Tools Flaw Exposes Encryption Keys: What Indian

CVE-2023-39427: Why CAD Software Vulnerabilities Threaten Indian SMBs

CVE-2023-39936: How a Design Software Flaw Puts Your Data at Risk

Ready to secure your business?

Angular ReDoS Vulnerability: How Indian Startups Can Protect Their

Angular ReDoS Vulnerability: How Indian Startups Can Protect Their Web Apps

What Happened

Why This Matters for Indian Businesses

Technical Breakdown

How to Protect Your Business

Step 1: Identify If You're Vulnerable

Step 2: Upgrade Angular (Preferred Solution)

Step 3: Patch the Vulnerable Regex (If Upgrade Isn't Possible)

Step 4: Implement Input Validation

Step 5: Monitor for ReDoS Attacks

Quick Fix: Immediate Mitigation

How Bachao.AI Would Have Prevented This

VAPT Scan (Vulnerability Assessment & Penetration Testing)

API Security (REST/GraphQL vulnerability scanning)

Incident Response (24/7 breach response)

What You Should Do Right Now

The Bigger Picture

Bachao.AI Research Team

Get cybersecurity insights for Indian SMBs

Related Articles

Dell VMware Storage Tools Flaw Exposes Encryption Keys: What Indian

CVE-2023-39427: Why CAD Software Vulnerabilities Threaten Indian SMBs

CVE-2023-39936: How a Design Software Flaw Puts Your Data at Risk

Ready to secure your business?