API Security

The Top 5 API Security Threats Hitting Indian Applications Right Now

If your business runs on mobile apps, web applications, or microservices — and in 2025 India, whose business does not — then APIs are the backbone of your operations. The problem is that API security is consistently the most neglected aspect of application security in Indian organisations.

Threat 1: Broken Object Level Authorization (BOLA)

BOLA is the number one API vulnerability globally, and we find it in approximately 70% of Indian applications we test. The vulnerability is deceptively simple: an API endpoint takes an object ID as a parameter, and the server does not verify that the requesting user is authorised to access that specific object.

Prevention: Implement object-level authorisation checks on every API endpoint that accesses user-specific data.

Threat 2: Broken Authentication

We find APIs that accept expired JWT tokens, APIs where the token secret is 'secret123', and APIs where authentication can be bypassed by simply removing the Authorization header.

Prevention: Use well-established authentication libraries. Always validate token signatures.

Threat 3: Server-Side Request Forgery (SSRF)

SSRF in APIs allows attackers to access cloud metadata services and steal IAM credentials. We have demonstrated SSRF attacks in Indian applications where we could access AWS metadata at 169.254.169.254 and retrieve temporary IAM credentials.

Prevention: Validate all user-supplied URLs. Block requests to internal IP ranges and cloud metadata endpoints.

Threat 4: Missing Rate Limiting

APIs without rate limiting are vulnerable to brute force attacks, credential stuffing, and abuse. We frequently find login APIs with no rate limiting — allowing unlimited password attempts.

Prevention: Implement rate limiting on all API endpoints. Use stricter limits on authentication endpoints.

Threat 5: Excessive Data Exposure

APIs often return more data than the client needs. A user profile API might return the password hash, Aadhaar number, internal IDs, and admin flags — even though the mobile app only displays the name and email.

Prevention: Return only the fields the client actually needs. Never include sensitive fields in API responses.

The Pattern We See

API security requires a different approach than web application security. You cannot protect APIs by putting a WAF in front of them. API security requires understanding the business logic, testing every endpoint with every user role, and validating that authorisation, authentication, and data handling are correct at every level.