Forem: Shouvik Mukherjee

API Security in India: The Flaw Nobody Is Fixing

Shouvik Mukherjee — Sun, 12 Apr 2026 09:10:36 +0000

By Shouvik Mukherjee — Founder at Bachao.AI, Ex-Principal Engineer

Indian SaaS is growing fast. The engineering is often excellent. The API security is frequently an afterthought — and that gap is getting exploited.

This isn't a lecture. This is a technical walkthrough of what's actually broken, why it keeps shipping, and what you can check on your API today.

Why Indian SaaS APIs Are Disproportionately Exposed

The pattern is consistent: small team, aggressive roadmap, product-market fit as the north star. Security review gets pushed to "after launch." Launch happens, users arrive, engineers move to the next feature. The API surface keeps growing. The security review never happens.

This isn't unique to India, but the scale here is acute. India has tens of thousands of B2B SaaS products shipping at startup pace. Most don't have a dedicated security engineer. Most haven't run a penetration test.

The result: production APIs with real user data, running patterns that OWASP documented as critical years ago.

The OWASP API Top 10 — What's Actually Hitting Indian Products

API1: Broken Object Level Authorization (BOLA)

This is the number one API vulnerability globally — and the most commonly missed in fast-shipping products.

The pattern: your API has an endpoint like GET /api/v1/invoices/{invoice_id}. The backend checks that the user is authenticated. It does not check that the invoice belongs to the authenticated user.

An attacker increments the invoice ID. They access another user's invoice. Then another. Then exports your entire customer dataset by iterating IDs.

This isn't a sophisticated attack. It's a for-loop. And it works on a shocking number of Indian SaaS products.

API3: Broken Object Property Level Authorization

Related but distinct. The API returns more fields than the frontend uses. The mobile app displays user.name and user.email. But the raw API response also contains user.internal_risk_score, user.admin_flag, user.raw_password_hash.

The frontend ignores these fields. A Burp Suite intercept doesn't.

API5: Broken Function Level Authorization

Admin endpoints accessible to regular users. Not because someone intended it — because the route existed and authorization middleware was applied inconsistently.

/api/admin/users/delete returns 403 for most requests. But someone forgot to add the middleware to the /api/v2/admin/ prefix after a refactor. V2 endpoints are open.

API6: Unrestricted Access to Sensitive Business Flows

No rate limiting on OTP generation. No limit on password reset emails. No throttle on the "check if email exists" endpoint.

These aren't just abuse vectors — they're data exfiltration paths. An attacker can enumerate your entire registered user base via a POST /auth/forgot-password endpoint with no rate limit.

API8: Security Misconfiguration

CORS set to *. X-Powered-By: Express 4.18.1. Verbose stack traces in 500 responses. Debug endpoints deployed to production. Old API versions still running (/v1/, /v0/) that were never deprecated.

The Real-World Pattern

Here's a scenario that mirrors actual audit findings — no real company names, but the pattern is real.

A Series A B2B SaaS product. 50,000 users. The engineering team of 12 is competent and moves fast. During a security audit:

GET /api/reports/{report_id} — no ownership check. Any authenticated user can pull any report by ID.
The /api/internal/ prefix routes were excluded from auth middleware "temporarily" during a migration six months ago. Never re-added.
The JWT secret: secretkey. Set during initial dev, never rotated, never changed.
The /api/v1/ and /api/v2/ endpoints both active. V1 is deprecated in docs but still running in production — and V1 skips the new input validation added to V2.

None of this was intentional. All of it is the natural result of shipping fast without security checkpoints.

5 Things to Check on Your API Today

1. Test BOLA on your highest-value object endpoints

Pick 3 endpoints that return user-owned resources. Authenticate as User A. Take an ID from User A's response. Swap to User B's auth token. Request User A's resource ID with User B's token. Does it return data? If yes, you have BOLA.

2. Audit your API response objects for over-exposure

For every endpoint, compare what the frontend actually uses versus what the API returns. Any field not consumed by the UI should be explicitly excluded from the response serializer.

3. Check every admin or elevated-privilege route for consistent middleware

List all routes that contain /admin/, /internal/, /superuser/, or equivalent prefixes. Verify auth middleware is applied consistently — not just on the prefix, but on each handler.

4. Test rate limiting on auth endpoints

POST /auth/login — send 100 requests in 60 seconds. Does it throttle? Check OTP, password reset, and account existence check endpoints the same way.

5. Search your codebase for secrets

grep -r "secret|password|apikey|token|AWS_ACCESS" . in your repo. Run git log --all --full-history -- .env to check if .env files were ever committed. This takes 10 minutes and finds critical issues regularly.

The Fix Isn't a Framework — It's a Habit

Most of these vulnerabilities don't require sophisticated tooling to introduce, and they don't require sophisticated tooling to find. They require someone to look.

Security review as a step in the PR process. A threat model conversation when designing a new API. A penetration test before a major launch or a new enterprise customer signs.

If you want a systematic view of your API security posture — not just a scanner report, but actual expert-verified findings — Bachao.AI provides CERT-IN grade API security testing as part of a full VAPT engagement. Free initial scan. You pay only if vulnerabilities are found.

Start at bachao.ai. Know what you're shipping.

Shouvik Mukherjee is Founder & CEO of Bachao.AI, an AI-native end-to-end cybersecurity platform. Ex-Principal Engineer, TEDx Speaker.

I built an MCP server so Claude Code stops hallucinating SVG icons

Shouvik Mukherjee — Sun, 05 Apr 2026 10:05:35 +0000

Every time I ask Claude, Cursor, or Windsurf to add icons to my UI, I get hallucinated SVGs — paths that look almost right but are slightly off. Misaligned strokes, weird proportions, icons that don't match any real design system.

So I built Animotion — an open-source MCP server that gives AI coding tools access to:

745 CSS3 animations (entrance, exit, attention, loaders, 3D transforms, and 15 more categories)
9,000+ real SVG icons from Lucide, Heroicons, Tabler, and Bootstrap
10 MCP tools including search_animations, get_icon, suggest_animation, and more

Zero-clone setup

{
  "mcpServers": {
    "animotion": {
      "command": "npx",
      "args": ["-y", "animotion-mcp"]
    }
  }
}

Paste that into your Claude Code / Cursor / Windsurf MCP config. That's it. No repo clone, no npm install, no paths.

Your AI agent can now:

search_icons("shopping cart") and get a real Lucide/Heroicons SVG
search_animations("fade in") and get production-ready CSS
suggest_animation("modal appearing with bounce") and get the best match

Also works as a traditional CSS library

Don't use AI tools? The animations work as plain CSS classes too:

<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/animotion-mcp/animotion-mcp.github.io@v1.0.0/css/animotion.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/animotion-mcp/animotion-mcp.github.io@v1.0.0/css/keyframes.css">

<div class="animotion-fade-in">Hello World</div>

Why 87% of Indian SMBs Have Zero Cybersecurity — And What We're Building to Fix It

Shouvik Mukherjee — Sat, 04 Apr 2026 19:15:45 +0000

I've been in cybersecurity for 18 years. I've seen enterprise security from the inside — the ₹50 lakh annual contracts, the 6-month implementation timelines, the compliance theater. But when I started scanning Indian SMB infrastructure last year, what I found was genuinely shocking.

The numbers:

78% of Indian SMB websites have broken or misconfigured SSL
91% are missing basic security headers entirely
62% run software with known published CVEs
37% have admin panels accessible from the public internet

These aren't exotic zero-days. These are configuration basics that take minutes to fix — once you know they exist.

The Real Problem Isn't Awareness

Every founder I talk to knows cybersecurity matters. They've read about the ₹22 crore average breach cost (IBM 2025). They know about the DPDP Act and its ₹250 crore penalty ceiling. The problem isn't awareness — it's access.

Here's what the cybersecurity market looks like for an Indian SMB with ₹5 crore annual revenue:

Service	Typical Cost	Timeline
Manual VAPT engagement	₹40,000 – ₹8,50,000	2-4 weeks
Enterprise SIEM	₹15,000 – ₹50,000/month	3-6 months to implement
Compliance consultant (ISO 27001)	₹5,00,000 – ₹10,00,000	6-12 months
CISO hire	₹30,00,000 – ₹60,00,000/year	Good luck finding one

The rational response? Skip it entirely and hope for the best.

What We're Building

Bachao.AI is an AI-native end-to-end cybersecurity platform built specifically for this gap. Not a single tool — a full platform with 20+ products:

Detection & Testing:

AI VAPT Scanner (free first scan, ₹4,999 report)
API Security (REST + GraphQL)
Mobile App Security (iOS/Android)
Attack Surface Management
Secret Scanning

Monitoring & Response:

Dark Web Monitoring
MSSP-Lite (SOC-as-a-Service)
Incident Response
RASP Protection

Compliance & Governance:

DPDP Act 2023 Readiness Assessment
SEBI CSCRF Audit
Compliance Automation
Consent Manager SDK
vCISO AI Copilot

Offensive Security:

Red Team / Breach & Attack Simulation
Cyber Forensics

Consumer Protection:

Deepfake Detection
UPI QR Scanner

The Technical Architecture

For the engineers here — a few decisions we made early:

Scan isolation: Every scan runs in a Firecracker microVM — the same isolation technology AWS Lambda uses. No scan can affect another customer's environment or our own infrastructure.

Report generation: We use Claude API for contextual vulnerability analysis. Raw scanner output gets transformed into actionable, business-context reports with specific remediation steps — not generic "update your software" advice.

Data security: AES-256 encryption, 90-day default purge cycle. We don't want to be the cybersecurity company that gets breached because we hoarded customer scan data.

The Pricing Bet

Our bet is simple: if you make the entry point free and the paid tier affordable, Indian SMBs will adopt cybersecurity at scale.

Free scan: Summary report, risk score, top findings. 2-hour delivery.
₹4,999: Full vulnerability report with CVSS scoring, OWASP mapping, evidence screenshots
₹9,999: Everything above plus remediation — actual fixes, not just recommendations

That's 99% cheaper than the enterprise equivalent. We're not competing with CrowdStrike or Palo Alto. We're competing with "do nothing" — which is what 87% of Indian SMBs currently choose.

DPDP Act — The Clock Is Ticking

The Digital Personal Data Protection Act enforcement begins May 13, 2027. No grace period. Penalties up to ₹250 crore per contravention. And it applies to every business that processes personal data — regardless of size.

Every finding in our reports auto-maps to Schedule I technical safeguards. When the Data Protection Board asks "what reasonable security measures did you have in place?" — our customers have a timestamped, evidence-backed answer.

Where We Are Today

Bootstrapped, solo founder (me + COO Amit Kumar Poreli)
DPIIT recognized startup (CIN: U62099WB2025PTC275605)
20+ products live on the platform
Regulatory coverage: RBI IT Framework, DPDP Act 2023, SEBI CSCRF

If you're an Indian startup or SMB that's never run a security scan — try Bachao.AI. The first scan is free and takes 2 hours.

If you're a developer building SaaS products — I'd love to hear what security tooling gaps you face. Drop a comment.

I'm Shouvik Mukherjee, founder of Bachao.AI. Previously Principal Engineer, TEDx speaker. Building from India for Indian businesses.