Skip to main content
All case studies
Fintech

Securing 200+ APIs for a Tier-1 Payments Platform

BOLA and BFLA vulnerabilities in payment flows discovered and fixed with zero false positives

Client: Major UPI Payments Platform

17
Critical vulnerabilities found in payment-critical APIs
0
False positives in final report — every finding manually verified
34
Shadow APIs discovered that were not in client API inventory
100%
RBI API security compliance achieved within assessment cycle

The Challenge

RBI Mandate + Explosive API Growth Outpaced Security Reviews

A UPI payments platform processing 800M+ transactions monthly had scaled from 40 to 200+ APIs in 18 months. Their automated API scanning tools were generating 3,000+ findings per scan — mostly false positives — making it impossible to identify real threats. An RBI circular on API security testing required evidence of manual expert assessment.

  • 200+ APIs across payments, merchant onboarding, KYC, and settlement services
  • Automated scanners producing 3,000+ findings with 85%+ false positive rate
  • Payment flow APIs handling sensitive UPI VPA and bank account data
  • RBI mandate for API-specific security testing with CERT-In empanelled auditor

The Solution

Manual API Security Assessment with Business Logic Focus

Security Brigade conducted a deep-dive manual API security assessment across all 200+ endpoints, focusing on business logic flaws that automated tools miss. Each API was tested against OWASP API Top 10 with custom test cases for payment-specific attack vectors. B-52 engine ensured every endpoint was covered; Lemon platform provided real-time finding tracking with zero false positives.

Services used

api-security vapt compliance-audit

Our approach

  1. 01 Phase 1: API inventory reconciliation — discovered 34 undocumented shadow APIs not in the client registry
  2. 02 Phase 2: Authentication and authorization testing — BOLA/BFLA testing across all payment flows with role-based matrices
  3. 03 Phase 3: Business logic testing — rate limiting bypass, transaction amount manipulation, concurrent request race conditions
  4. 04 Phase 4: Remediation verification — each fix retested within 48 hours via Lemon, signed-off with evidence

The Results

17 Critical API Vulnerabilities Fixed — Zero False Positives Delivered

Identified 17 critical and 43 high-severity vulnerabilities across payment APIs, including BOLA flaws that could have allowed unauthorized access to transaction histories of any user. All findings verified as true positives — zero noise.

17
Critical vulnerabilities found in payment-critical APIs
0
False positives in final report — every finding manually verified
34
Shadow APIs discovered that were not in client API inventory
100%
RBI API security compliance achieved within assessment cycle

Ready to discuss your security needs?

Talk to our team about a similar engagement for your organisation.

Request a Scoping Call