Case Study Financial Services ·India · August 20, 2025

Penetration Testing for a Bengaluru Fintech Company

A Bengaluru-based lending fintech preparing for RBI compliance commissioned a full-scope VAPT. CyberneticsPlus discovered an authentication bypass in the loan origination API that could allow fraudulent applications without valid KYC.

19

Vulnerabilities Found

2

Critical Findings

RBI NBFC

Compliance Cleared

Web Application Penetration TestingAPI Security TestingRBI Compliance Support

Background

A Bengaluru-based non-banking financial company (NBFC) offering digital personal loans engaged CyberneticsPlus for a comprehensive VAPT engagement. The primary driver was RBI compliance — the company’s auditors had flagged the need for an independent security assessment under the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance (2023).

The platform processed approximately 800 loan applications per day, with disbursals directly to applicant bank accounts via IMPS. The stakes of a compromised loan origination system were significant — fraudulent applications, modified bank account details, or credit decision manipulation could result in direct financial loss.

Scope:

  • Borrower web application (React + Node.js API)
  • Loan origination API (REST, JWT authentication)
  • Admin portal for credit team
  • KYC integration (Aadhaar-based eKYC + PAN verification)
  • AWS infrastructure

Key Findings

Critical: Authentication Bypass in Loan Origination API

Finding: The loan application API at /api/v2/loan/apply accepted a user_id parameter in the POST body. The authentication middleware verified the JWT token was valid and not expired, but did not validate that the user_id in the request body matched the sub (subject) claim in the JWT.

An authenticated borrower could submit a loan application on behalf of another user by replacing user_id in the request body:

{
  "user_id": "8821034",     Victim's user ID
  "loan_amount": 500000,
  "tenure_months": 24,
  "purpose": "business",
  "bank_account_id": "acc_attacker_123" Attacker's bank account
}

The loan application would be created under the victim’s identity (using their credit history, KYC status, and credit limit) while the disbursal account was set to the attacker’s bank account.

Business impact: A fraudster with a valid (potentially fake) borrower account could take loans under the identity of high-credit-score borrowers, with disbursal to the attacker’s account. The victim would have a loan on their credit record; the NBFC would face credit loss and regulatory liability.

Fix: Authentication middleware updated to compare user_id in all request bodies against sub claim in the JWT. Any mismatch returns 403.

Critical: KYC Status Bypass via Parameter Manipulation

Finding: The loan application submission endpoint accepted a kyc_verified flag in the request body. While the backend validation was supposed to check KYC status from the database, the application logic had a short-circuit: if kyc_verified: true was present in the request body, the database check was skipped.

An unverified borrower (incomplete Aadhaar/PAN verification) could submit a loan application with kyc_verified: true in the POST body and bypass the KYC requirement.

Fix: kyc_verified parameter removed from the API contract. KYC status derived exclusively from the database — never from client-supplied input.

High: IDOR on Bank Account Deletion

Finding: DELETE /api/v1/accounts/{account_id} deleted a saved bank account without checking ownership. An authenticated borrower could delete another borrower’s saved bank accounts by guessing sequential account IDs.

Fix: Bank account deletion endpoint updated to verify ownership (user_id from JWT matches user_id on the account record).

High: Admin Portal Without MFA

Finding: The credit team admin portal — which allowed credit officers to approve, reject, and modify loan applications — had no MFA enforcement. Admin accounts used password-only authentication, and password policy allowed 8-character alphanumeric passwords.

Fix: TOTP-based MFA enforced for all admin portal users. Minimum password complexity updated to 12 characters with complexity requirements.

Additional Findings

  • 6 medium findings: missing rate limiting on OTP endpoints, verbose API error messages, missing CSRF tokens on non-API endpoints, outdated JWT library version, CloudTrail partial coverage, S3 bucket without versioning
  • 8 low/informational: missing security headers, JWT token lifetime too long (7 days), informational API responses, unused IAM roles

Outcome

All critical and high findings were resolved within 10 business days. CyberneticsPlus conducted a retest confirming resolution.

The company’s RBI compliance audit (conducted by a CERT-In empanelled auditor) reviewed the VAPT report and remediation evidence. The compliance assessment was cleared without any major observations related to the security findings.

The NBFC implemented quarterly penetration testing as part of their ongoing security programme — aligned with RBI’s recommendation for periodic security assessments for digital lending platforms.

A

Anonymous

Financial Services · India

Want similar results for your business?

Book a free consultation and we'll assess your current security posture.

Book a Free Consultation