Continuous API and GraphQL Pentesting Against OWASP API Top 10 for Indian SaaS

It is mid-2026, and your platform team is shipping forty to one hundred and twenty new endpoints, resolvers, scopes and fields every quarter. Your last API pentest is from last fiscal, bound as a PDF, and the OWASP API Top 10 2023 categories it cites have moved on with every merge since.

That is the problem. A single careless pull request introduces a Broken Object Level Authorization (BOLA) flaw, a mass-assignment hole, or a GraphQL depth bomb, and your annual auditor will not see it for another nine months. Meanwhile DPDPA Section 8, RBI's Master Direction on IT Governance, and SEBI's CSCRF expect you to show dated evidence that you tested the surface that actually shipped.

So how do you run a release-gated, OWASP-aligned API testing program that keeps up with weekly deploys, satisfies Indian regulators, and produces evidence your board will accept? This post lays out the test cases, the cadence, the evidence pack and the control mapping Certbar Security uses across 1,200+ engagements.

Most Indian SaaS and fintech teams still procure API security as a once-a-year, fixed-scope audit. That model fails for a structural reason: APIs change faster than the audit cycle. A typical mid-stage SaaS ships 40 to 120 endpoint or resolver changes a quarter, including new tenant scopes, fields, webhooks and internal admin endpoints. By the time the annual report lands, the threat surface tested is months stale.

The OWASP API Security Project's API Top 10 2023 reflects this reality. The top three categories, API1:2023 Broken Object Level Authorization (BOLA), API2:2023 Broken Authentication, and API3:2023 Broken Object Property Level Authorization (which absorbed mass assignment and excessive data exposure), are all logic flaws introduced by a single careless PR. They do not show up in SAST. They rarely show up in DAST. They only surface when a tester with two valid tenant accounts walks the object graph and tries to read or mutate someone else's resource.

The financial cost of getting this wrong is no longer abstract. The IBM Cost of a Data Breach Report 2024 put the average breach in India at roughly INR 19.5 crore, with API and web-app vectors among the leading initial access patterns. The Optus 2022 breach in Australia, an unauthenticated REST endpoint exposing roughly 9.8 million customer records, is the canonical BOLA-adjacent case study, and Indian regulators now cite it in CERT-In advisories. Annual testing would not have caught it. A continuous program scoped around authorization decisions would have.

The point is not to abandon the deep annual assessment. CERT-In empanelment requirements and SEBI CSCRF still expect one. The point is to wrap it in a lighter, release-gated layer that prevents regressions between full audits. That is what the rest of this post operationalises.

A continuous program needs test cases, not categories. Below is how Certbar's API testing playbook maps each OWASP API Top 10 2023 risk to a concrete, repeatable check we run on every release candidate.

Each row is a script, not a sentence. Our penetration testing services ship these as a parameterised collection (Postman, Bruno or k6) plus a custom Burp Suite extension, so the same checks run in CI as a smoke layer and in a guided manual pass before release.

GraphQL inherits every REST risk and adds four of its own. The OWASP API Top 10 2023 acknowledges this implicitly but does not enumerate them, which is why teams ship GraphQL with REST-shaped checklists and miss the obvious.

Introspection in production. Apollo, Hasura and Yoga default introspection to on in many starter templates. An attacker queries __schema and receives the entire type graph: mutations, internal admin queries, hidden fields. Disable introspection in production, gate it behind a privileged role for staging, and add a CI check that fails the build if __schema returns 200 on the prod hostname.

Query depth and breadth abuse. A single recursive query, user { followers { followers { followers { ... } } } }, can fan out to millions of resolver calls. Enforce a max depth (Certbar's default recommendation is 7), max alias count, max complexity score using a cost-analysis library, and a per-query timeout. The graphql-query-complexity middleware is the reference implementation.

Batching and alias-based brute force. GraphQL lets a client send 1,000 login mutations in one HTTP request using aliases. Per-IP rate limits do not catch this because it is one request. The fix is per-operation rate limiting and explicit alias-count caps. The 2022 GitLab GraphQL rate-limit bypass (CVE-2021-4191) is the canonical example.

Field-level authorization gaps. REST authorizes at the endpoint. GraphQL authorizes at the resolver. A single mutation can touch ten resolvers; if one resolver does not re-check tenant scope, BOLA returns under a different shape. Use a directive-based auth library (graphql-shield, Nexus plugin-shield) and assert in tests that every resolver enforces tenant and role.

Our GraphQL pentest checklist runs all four classes against every release candidate, plus a fuzz pass over persisted queries and a check that x-apollo-operation-name spoofing cannot bypass query allowlists.

Authorization is where 70 to 80 per cent of high-severity API findings cluster in our 2024-2025 engagement data. The patterns below are protocol-agnostic and should run on every release.

Horizontal escalation matrix. Provision two production-like tenants, A and B, with three roles each (admin, member, read-only). Run the full 9x9 cross-product: can A-admin act on B-resources? Can A-member read B-admin scopes? Automate via a tagged Postman collection.

Vertical escalation per verb. For every mutation or write endpoint, attempt with the lowest role. Most BFLA findings live in seldom-used verbs: DELETE on shared resources, PATCH on settings objects, POST on /invite or /transfer-ownership.

Token lifecycle. Test refresh-after-logout, refresh-after-password-change, refresh-after-role-revoke, and concurrent-session limits. RBI's Master Direction on IT Governance (Nov 2023) expects session controls to be evidenced.

IDOR via indirect identifiers. Find endpoints that accept slugs, emails, phone numbers or invite codes instead of numeric IDs. These are the BOLA findings linters miss because the parameter does not look like an ID.

JWT and OAuth edge cases. alg=none, alg confusion (RS256 to HS256), expired-token replay, audience confusion across microservices, refresh-token rotation, and PKCE downgrade on mobile clients.

Each pattern produces a YAML-defined test case in our internal harness. The output is a pass/fail row with the exact request, response and the OWASP/CWE/MITRE ATT&CK mapping the auditor needs.

"Continuous" does not mean "everything, all the time." It means a tiered cadence where the fastest tests gate the fastest releases. Here is the model we deploy at Indian SaaS and fintech clients shipping weekly or faster.

Per-PR (under 5 minutes). SAST plus a schema-diff job that flags new endpoints/resolvers, new fields and new scopes. A failing diff routes the PR to AppSec review before merge. This is automation, not pentesting.

Per-release (under 60 minutes). Parameterised OWASP API Top 10 collection runs against staging with two tenants and three roles. Failures break the release. This is where mass assignment, BOLA-on-new-fields and GraphQL depth regressions are caught.

Monthly (1 to 2 days). A senior tester walks the new attack surface manually: business logic, chained flows, race conditions, multi-step authorization. This is what no scanner replicates.

Quarterly (5 to 10 days). Full grey-box engagement, including internal admin and partner APIs, with a fresh threat model and a board-ready brief mapped to your compliance framework. This is the engagement CERT-In empanelment and SEBI CSCRF expect on record.

Annually. Independent re-audit and red-team simulation that includes APIs as one access vector among many. Pairs well with our attack simulation service.

The first two tiers are what most Indian teams are missing. They are also where the cost is lowest and the value is highest, typically a fixed monthly retainer rather than a per-engagement SOW.

Auditors do not accept screenshots. The evidence pack that ships with every Certbar continuous engagement contains seven artefact types, each numbered and referenced in the executive brief.

1. Finding record. Title, OWASP API ID, CWE, MITRE ATT&CK technique, CVSS 4.0 vector and base score, affected endpoint(s), business impact in plain language.
2. Reproduction script. A working curl or GraphQL request with redacted tokens, plus the expected vs actual response. Reproducible by the engineering team in under 60 seconds.
3. PoC video. A 60-to-180-second screen capture showing the exploit end-to-end against staging. Required for board and regulator submissions under DPDPA's "reasonable security practices" expectation.
4. Root-cause note. One paragraph identifying whether the bug is a missing authorization check, missing input validation, misconfiguration or design-level flaw. Determines fix owner.
5. Remediation guidance. Specific code-level fix, plus a defensive control (rate limit, WAF rule, schema directive) that would have prevented the class.
6. Retest artefact. After remediation, the same reproduction script is re-run. The output, including timestamp, tester ID and result, becomes the retest evidence. This is what ISO 27001:2022 Annex A.8.29 auditors and SOC 2 CC7.1 reviewers will ask for.
7. Compliance mapping row. Single line tying the finding to RBI MD-ITG, SEBI CSCRF, DPDPA Section 8, PCI DSS 4.0 11.4.x or ISO 27001:2022 Annex A.8.29, whichever applies to the client.

This pack ships in two formats: a PDF brief for the CISO and board, and a JSON export that feeds Jira, ServiceNow or our partner GRC platforms. Both are signed by an OSCP-certified lead so the artefact carries weight in regulator submissions.

Indian regulators have moved fast in the last 24 months. An API pentest report that does not map to specific control IDs forces your compliance team to do the translation, which they will do imperfectly, and which auditors will challenge. Certbar's mapping table, in short:

• DPDPA 2023 Section 8 - the "reasonable security safeguards" obligation on every Data Fiduciary. BOLA and mass assignment findings map directly here because they expose personal data to unauthorised principals. See our DPDPA compliance consulting for the full mapping.
• RBI Master Direction on IT Governance (Nov 2023) - Chapter VI on Information Security mandates application security testing, secure SDLC and vulnerability management. Continuous API testing evidences clauses on periodic testing and risk-based scoping.
• SEBI CSCRF (2024) - applies to all SEBI-regulated entities. Annexure I prescribes Vulnerability Assessment and Penetration Testing (VAPT) with defined frequency and CERT-In empanelled vendor requirements. Our CERT-In empanelled VAPT service is the artefact that satisfies this clause.
• ISO 27001:2022 Annex A.8.29 - "Security testing in development and acceptance." A continuous program is the natural evidence; an annual report is borderline.
• SOC 2 CC7.1 and CC8.1 - change management and detection of anomalies. Per-release API testing directly evidences both.
• PCI DSS 4.0 Requirement 11.4.x - penetration testing requirements for any in-scope cardholder data API. The new 4.0 timelines are now mandatory.

For every finding, the report row carries the control IDs above so your compliance team can lift the evidence into the next audit submission with zero re-work.

Annual API testing is a compliance artefact. Continuous API testing is a control. If your last pentest is twelve months old, your real attack surface has drifted past your last assurance point.

If your platform is shipping APIs and GraphQL resolvers every sprint and your last pentest was twelve months ago, your real attack surface has drifted past your last assurance point. The fix is not more scanners. It is a release-gated test plan, a senior tester on monthly cadence, and an evidence pack that maps to the regulators you actually report to.

That is the standard Certbar Security has built across 1,200+ engagements, and the one we recommend you adopt before the next audit cycle. The economics work too: a retainer for per-release automation plus monthly senior-tester reviews typically runs INR 1.5 lakh to INR 6 lakh per month for a mid-stage SaaS or fintech, depending on endpoint count, GraphQL surface and tenant count. That is well below the cost of a single high-severity BOLA finding reaching production, which on Indian breach averages can exceed INR 19 crore.

Three actions for this quarter. First, run the schema-diff job on your last 90 days of PRs and count the new endpoints, resolvers and fields that have not been tested since merge. Second, stand up the two-tenant, three-role matrix in your staging environment so any tester (internal or external) can run the BOLA cross-product in under an hour. Third, ask your current pentest vendor to ship findings with CVSS 4.0 vectors, MITRE ATT&CK technique IDs and dated retest artefacts. If they cannot, that is your signal.

Ready to operationalise this? Talk to our team about scoping a continuous API and GraphQL testing program against your release cadence. Visit our penetration testing services page or request a 30-minute scoping call. We will share the OWASP API Top 10 2023 test collection and a sample evidence pack on the first call.

How often should we run API penetration testing if we ship weekly? Run a parameterised OWASP API Top 10 2023 collection on every release candidate (under 60 minutes in staging), a manual senior-tester pass monthly, and a full grey-box engagement quarterly. The annual deep audit remains for regulator submission. This tiered cadence costs less than two annual audits in most cases and catches BOLA and mass assignment regressions the same sprint they ship.

What is the difference between OWASP API Top 10 2019 and 2023? The 2023 edition consolidates mass assignment and excessive data exposure into API3:2023 Broken Object Property Level Authorization, adds API6:2023 Unrestricted Access to Sensitive Business Flows and API10:2023 Unsafe Consumption of APIs, and explicitly addresses resource consumption (API4:2023). If your test plan still references the 2019 categories, you are missing business-flow abuse and third-party API consumption risks entirely.

Do we need a separate GraphQL pentest, or does an API pentest cover it? A general API pentest will miss GraphQL-specific risks: introspection in production, query depth and complexity abuse, alias-based batching attacks, and field-level authorization gaps. Treat GraphQL as a discrete scope with its own test plan, even if the underlying service also exposes REST. Certbar's pentest scoping always asks for the GraphQL schema separately.

Is a CERT-In empanelled vendor mandatory for API testing under SEBI CSCRF? Yes for SEBI-regulated entities. SEBI CSCRF Annexure I requires VAPT by a CERT-In empanelled auditor with defined frequency. The same applies to most RBI-regulated entities under the Master Direction on IT Governance. Certbar is CERT-In empanelled and issues reports accepted by both regulators.

How do we get evidence that satisfies DPDPA's "reasonable security safeguards" clause? The evidence pack must show that you identified, fixed and retested API authorization and data-exposure risks before a breach occurred. That means a finding record with CVSS, a remediation note, and a dated retest artefact for every high-severity finding. Continuous testing produces this naturally; annual testing produces a stale snapshot.

Can SAST or DAST scanners replace API penetration testing? No. SAST does not see runtime authorization decisions. DAST does not have the two-tenant, multi-role context needed to detect BOLA, BFLA or mass assignment. Both are useful as a smoke layer in CI, but the OWASP API Top 10's top three categories require human-led, context-aware testing, which is what Certbar's continuous program delivers.