Why API security needs its own methodology
A standard VAPT tests the web app or mobile app. API security needs separate methodology because:
- APIs are increasingly the entire product surface (mobile apps, SDK customers, B2B integrations all hit the API)
- OWASP API Top 10 differs from OWASP Web Top 10 (BOLA dominates, not XSS)
- Rate limiting and authorization at the API layer are where most attacks succeed
- API documentation is often the most useful artifact for attackers (or the most useful artifact for defenders to validate)
What's in scope
Authentication and authorization (OWASP API Top 10 categories 1, 2, 3, 5):
- BOLA (Broken Object-Level Authorization) testing on every authenticated endpoint
- Broken authentication (token reuse, weak JWT signing, session fixation)
- Excessive data exposure (responses including more than the UI uses)
- Broken function-level authorization (admin endpoints reachable by non-admin users)
- Unrestricted resource consumption (rate limits absent or bypassable)
- Server-Side Request Forgery (SSRF) on URL-accepting endpoints
- Security misconfiguration (CORS, headers, error messages leaking data)
- Lack of resources & rate limiting (per-user, per-IP, per-endpoint quotas)
- Improper inventory management (deprecated API versions still callable)
- Unsafe consumption of APIs (third-party API responses trusted blindly)
- UPI API security (intent validation, transaction signing)
- DigiLocker / Aadhaar API integration security
- Account Aggregator framework security
- Payment Aggregator API security per RBI guidelines
- DPDP-compliant data handling in API responses
The 4-day delivery
Day 1: Documentation and discovery
- API spec review (OpenAPI / Postman collection / Swagger)
- Endpoint enumeration (documented + undocumented)
- Authentication model review
- Initial automated scanning
- Every authenticated endpoint tested for object-level authorization
- Multi-account testing (User A's token attempting to access User B's resource)
- Vertical privilege escalation (regular user attempting admin endpoint)
- Horizontal authorization edge cases
- Rate limiting validation (per-user, per-IP, per-endpoint)
- SSRF on URL-accepting endpoints
- Mass assignment testing
- Input validation edge cases
- Business logic abuse (race conditions, state machine violations)
- Findings categorised: Critical / High / Medium / Low
- Each finding includes PoC + remediation example
- 90-minute debrief with backend engineering team
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanPricing
| Scope | Fee |
|---|---|
| Small API (< 30 endpoints) | ₹1.5L |
| Medium API (30–100 endpoints) | ₹3L |
| Large API (100–300 endpoints) | ₹5L |
| Fintech-specific (UPI, AA, RBI) | +50% |
Common findings
From our last 30 fintech API audits, in order of frequency:
- BOLA on at least one endpoint (24 of 30 APIs)
- Rate limit bypass via header manipulation or IP rotation (21 of 30)
- Excessive data exposure on at least one response (19 of 30)
- Missing or weak per-user rate limit (17 of 30)
- SSRF on at least one URL-accepting endpoint (12 of 30)
- Deprecated API version still callable in production (11 of 30)
- Verbose error messages exposing stack trace (10 of 30)
- JWT signing key weak or rotatable (9 of 30)
- Mass assignment vulnerability (8 of 30)
- Authorization race condition in transaction endpoints (6 of 30)
How to start
Schedule the API audit scoping call →
Related: Case Study: Fintech API Audit Found BOLA + Rate Limit Bypass · API Security for Indian Fintech
