API Security Testing in Delhi NCR · Gov, India Stack & Enterprise

Delhi NCR runs on integration APIs — citizen-facing government and PSU portals, India-Stack consumers (Aadhaar e-KYC, DigiLocker, UPI, e-Sign), and the large-enterprise B2B estates clustered in Gurugram's Cyber City and Noida's Sector-62/Sector-135 belt. These APIs carry identity and entitlement, not just data, which is exactly why their authorization flaws matter more. Macksofy tests them against the OWASP API Security Top 10 (2023), with senior consultants who deliver across the NCR and report in the language CERT-In and departmental auditors expect.

Citizen-facing portals are where BOLA (API1) does the most damage, because the object an attacker pivots to is another citizen's record — a benefit status, an application, a document, a grievance. We test object-level authorization with two authenticated personas, and we pay particular attention to the predictable identifiers (application numbers, beneficiary IDs, sequential references) that make enumeration trivial. Broken function-level authorization (API5) is the companion finding: a citizen token reaching an officer/admin endpoint, or a verification function exposed without the maker-checker control the workflow assumes.

India-Stack integrations carry their own scope. Wherever a portal consumes Aadhaar e-KYC, DigiLocker document-pull, UPI or e-Sign, we test the integration boundary — token and consent handling, response-trust (unsafe consumption of upstream APIs, API10), SSRF on document-pull and callback URLs (API7), and the data-exposure risk of caching or logging identity responses. For Aadhaar-touching flows we test against the data-minimisation and storage expectations the UIDAI framework and DPDP both push toward, because over-retention of identity data is the finding that turns a portal flaw into a notifiable breach.

Enterprise NCR APIs — the Gurugram fintech and insurtech belt, the Noida IT/ITeS and e-commerce estates, the manufacturing and auto majors' partner portals — bring B2B and partner-integration scope: machine-to-machine auth, partner-token scoping, webhook SSRF, and the business-flow abuse (API6) that lives in onboarding, pricing and settlement APIs. We test unrestricted resource consumption (API4) on anything that fronts a cost or an enumeration oracle, and we surface shadow and zombie endpoints (API9) — the forgotten partner API still live after a migration, a recurring source of NCR incidents.

The deliverable is built for the NCR compliance reality: findings map to the CERT-In empanelled audit format and the six-hour incident-reporting posture, to DPDP reasonable-security-safeguards (and the Significant-Data-Fiduciary lens where the operator is large), and — for portals serving notified critical sectors — to the NCIIPC expectations for protected systems. Every High and Critical carries a manual proof-of-exploit, CVSS v3.1, and a remediation an engineering or empanelled-vendor team can action. For government and PSU buyers we provide the documentation and evidence pack a departmental audit or a CAG-aligned review will ask for.

Procurement in the NCR is its own discipline — GeM listings, departmental tender cycles, PSU committee approvals and enterprise vendor-security onboarding. We size proposals to fit, attach the empanelled-auditor letter and the Macksofy ISMS pack up front, and provide the re-test (every Critical and High inside a 60-day window, in the base SoW) that inspection follow-ups require. Onsite is same-day across Gurugram Cyber City, Noida and central Delhi, with the wider NCR — Greater Noida, Manesar, Faridabad — inside the same testing week.