Continuous API and GraphQL Pentesting Against OWASP API Top 10 for Indian SaaS

If your SaaS or fintech platform ships APIs every sprint, the annual external pentest is no longer a control — it is a checkbox that misses BOLA, mass assignment and GraphQL depth abuse the moment a new field, resolver or scope ships. Continuous API penetration testing means running a release-cadence test plan that maps every OWASP API Top 10 2023 risk to authenticated, role-aware test cases, with sample evidence and retest artefacts that satisfy DPDPA, RBI and SEBI CSCRF auditors. This is the operating model Certbar Security uses across 1,200+ engagements, and the one we document below.

Most Indian SaaS and fintech teams still procure API security as a once-a-year, fixed-scope audit. That model fails for a structural reason: APIs change faster than the audit cycle. A typical mid-stage SaaS ships 40 to 120 endpoint or resolver changes a quarter — new tenant scopes, fields, webhooks, internal admin endpoints. By the time the annual report lands, the threat surface tested is months stale.

The OWASP API Security Project's API Top 10 2023 reflects this reality. The top three categories — API1:2023 Broken Object Level Authorization (BOLA), API2:2023 Broken Authentication, and API3:2023 Broken Object Property Level Authorization (which absorbed mass assignment and excessive data exposure) — are all logic flaws that are introduced by a single careless PR. They do not show up in SAST. They rarely show up in DAST. They only surface when a tester with two valid tenant accounts walks the object graph and tries to read or mutate someone else's resource.

The financial cost of getting this wrong is no longer abstract. The IBM Cost of a Data Breach Report 2024 placed the average breach in India at roughly ₹19.5 crore, with API and web-app vectors among the leading initial access patterns. The Optus 2022 breach in Australia — an unauthenticated REST endpoint exposing roughly 9.8 million customer records — is the canonical BOLA-adjacent case study, and Indian regulators now cite it in CERT-In advisories. Annual testing would not have caught it. A continuous program scoped around authorization decisions would have.

The point is not to abandon the deep annual assessment — CERT-In empanelment requirements and SEBI CSCRF still expect one — but to wrap it in a lighter, release-gated layer that prevents regressions between full audits. That is what the rest of this post operationalises.

A continuous program needs test cases, not categories. Below is how Certbar's API testing playbook maps each OWASP API Top 10 2023 risk to a concrete, repeatable check we run on every release candidate.

Each row is a script, not a sentence. Our penetration testing services ship these as a parameterised collection (Postman, Bruno or k6) plus a custom Burp Suite extension, so that the same checks run in CI as a smoke layer and in a guided manual pass before release.

GraphQL inherits every REST risk and adds four of its own. The OWASP API Top 10 2023 acknowledges this implicitly but does not enumerate them, which is why teams ship GraphQL with REST-shaped checklists and miss the obvious.

Introspection in production. Apollo, Hasura and Yoga default introspection to on in many starter templates. An attacker queries __schema and receives the entire type graph — mutations, internal admin queries, hidden fields. Disable introspection in production, gate it behind a privileged role for staging, and add a CI check that fails the build if __schema returns 200 on the prod hostname.

Query depth and breadth abuse. A single recursive query — user { followers { followers { followers { ... } } } } — can fan out to millions of resolver calls. Enforce a max depth (Certbar's default recommendation is 7), max alias count, max complexity score using a cost-analysis library, and a per-query timeout. The graphql-query-complexity middleware is the reference implementation.

Batching and alias-based brute force. GraphQL lets a client send 1,000 login mutations in one HTTP request using aliases. Per-IP rate limits do not catch this because it is one request. The fix is per-operation rate limiting and explicit alias-count caps. The 2022 GitLab GraphQL rate-limit bypass (CVE-2021-4191) is the canonical example.

Field-level authorization gaps. REST authorizes at the endpoint. GraphQL authorizes at the resolver. A single mutation can touch ten resolvers; if one resolver does not re-check tenant scope, BOLA returns under a different shape. Use a directive-based auth library (graphql-shield, Nexus plugin-shield) and assert in tests that every resolver enforces tenant and role.

Our GraphQL pentest checklist runs all four classes against every release candidate, plus a fuzz pass over persisted queries and a check that x-apollo-operation-name spoofing cannot bypass query allowlists.

Authorization is where 70 to 80 per cent of high-severity API findings cluster in our 2024-2025 engagement data. The patterns below are protocol-agnostic and should run on every release.

• Horizontal escalation matrix. Provision two production-like tenants, A and B, with three roles each (admin, member, read-only). Run the full 9x9 cross-product: can A-admin act on B-resources? Can A-member read B-admin scopes? Automate via a tagged Postman collection.
• Vertical escalation per verb. For every mutation or write endpoint, attempt with the lowest role. Most BFLA findings live in seldom-used verbs — DELETE on shared resources, PATCH on settings objects, POST on /invite or /transfer-ownership.
• Token lifecycle. Test refresh-after-logout, refresh-after-password-change, refresh-after-role-revoke, and concurrent-session limits. RBI's Master Direction on IT Governance (Nov 2023) expects session controls to be evidenced.
• IDOR via indirect identifiers. Find endpoints that accept slugs, emails, phone numbers or invite codes instead of numeric IDs. These are the BOLA findings linters miss because the parameter does not look like an ID.
• JWT and OAuth edge cases. alg=none, alg confusion (RS256 to HS256), expired-token replay, audience confusion across microservices, refresh-token rotation, and PKCE downgrade on mobile clients.

Each pattern produces a YAML-defined test case in our internal harness. The output is a pass/fail row with the exact request, response and the OWASP/CWE/MITRE ATT&CK mapping the auditor needs.

"Continuous" does not mean "everything, all the time." It means a tiered cadence where the fastest tests gate the fastest releases. Here is the model we deploy at Indian SaaS and fintech clients shipping weekly or faster.

1. Per-PR (under 5 minutes). SAST plus a schema-diff job that flags new endpoints/resolvers, new fields and new scopes. A failing diff routes the PR to AppSec review before merge. This is automation, not pentesting.
2. Per-release (under 60 minutes). Parameterised OWASP API Top 10 collection runs against staging with two tenants and three roles. Failures break the release. This is where mass assignment, BOLA-on-new-fields and GraphQL depth regressions are caught.
3. Monthly (1 to 2 days). A senior tester walks the new attack surface manually — business logic, chained flows, race conditions, multi-step authorization. This is what no scanner replicates.
4. Quarterly (5 to 10 days). Full grey-box engagement, including internal admin and partner APIs, with a fresh threat model and a board-ready brief mapped to your compliance framework. This is the engagement CERT-In empanelment and SEBI CSCRF expect on record.
5. Annually. Independent re-audit and red-team simulation that includes APIs as one access vector among many. Pairs well with our red team assessment.

The first two tiers are what most Indian teams are missing. They are also where the cost is lowest and the value is highest — typically a fixed monthly retainer rather than a per-engagement SOW.

Auditors do not accept screenshots. The evidence pack that ships with every Certbar continuous engagement contains seven artefact types, each numbered and referenced in the executive brief.

• Finding record. Title, OWASP API ID, CWE, MITRE ATT&CK technique, CVSS 4.0 vector and base score, affected endpoint(s), business impact in plain language.
• Reproduction script. A working curl or GraphQL request with redacted tokens, plus the expected vs actual response. Reproducible by the engineering team in under 60 seconds.
• PoC video. 60-to-180-second screen capture showing the exploit end-to-end against staging. Required for board and regulator submissions under DPDPA's "reasonable security practices" expectation.
• Root-cause note. One paragraph identifying whether the bug is missing authorization check, missing input validation, misconfiguration or a design-level flaw. Determines fix owner.
• Remediation guidance. Specific code-level fix, plus a defensive control (rate limit, WAF rule, schema directive) that would have prevented the class.
• Retest artefact. After remediation, the same reproduction script is re-run. The output — including timestamp, tester ID and result — becomes the retest evidence. This is the artefact ISO 27001:2022 Annex A.8.29 auditors and SOC 2 CC7.1 reviewers will ask for.
• Compliance mapping row. Single line tying the finding to RBI MD-ITG, SEBI CSCRF, DPDPA Section 8, PCI DSS 4.0 11.4.x or ISO 27001:2022 Annex A.8.29 — whichever applies to the client.

This pack is delivered in two formats: a PDF brief for the CISO and board, and a JSON export that feeds Jira, ServiceNow or our partner GRC platforms. Both are signed by an OSCP-certified lead so the artefact carries weight in regulator submissions.

Indian regulators have moved fast in the last 24 months. An API pentest report that does not map to specific control IDs forces your compliance team to do the translation — which they will do imperfectly, and which auditors will challenge. Certbar's mapping table, in short:

• DPDPA 2023 Section 8 — "reasonable security safeguards" obligation on every Data Fiduciary. BOLA and mass assignment findings map directly here because they expose personal data to unauthorised principals. See the MeitY DPDP framework page.
• RBI Master Direction on IT Governance (Nov 2023) — Chapter VI on Information Security mandates application security testing, secure SDLC and vulnerability management. Continuous API testing evidences clauses on periodic testing and risk-based scoping.
• SEBI CSCRF (2024) — applies to all SEBI-regulated entities. Annexure I prescribes Vulnerability Assessment and Penetration Testing (VAPT) with defined frequency and CERT-In empanelled vendor requirements. Our CERT-In empanelled pentest service is the artefact that satisfies this clause.
• ISO 27001:2022 Annex A.8.29 — "Security testing in development and acceptance." A continuous program is the natural evidence; an annual report is borderline.
• SOC 2 CC7.1 and CC8.1 — change management and detection of anomalies. Per-release API testing directly evidences both.
• PCI DSS 4.0 Requirement 11.4.x — penetration testing requirements for any in-scope cardholder data API. The new 4.0 timelines are now mandatory.

For every finding, the report row carries the control IDs above so your compliance team can lift the evidence into the next audit submission with zero re-work.

Annual API testing is a compliance artefact. Continuous API testing is a control. If your platform is shipping APIs and GraphQL resolvers every sprint and your last pentest was twelve months ago, your real attack surface has drifted past your last assurance point. The fix is not more scanners — it is a release-gated test plan, a senior tester on monthly cadence, and an evidence pack that maps to the regulators you actually report to. That is the standard Certbar Security has built across 1,200+ engagements, and the one we recommend you adopt before the next audit cycle.

Ready to operationalise this? Talk to our team about scoping a continuous API and GraphQL testing program against your release cadence — visit our penetration testing services page or request a 30-minute scoping call. We will share the OWASP API Top 10 2023 test collection and a sample evidence pack on the first call.