Closing Critical Gaps in a Banking API Gateway

Client Overview

The client is a regional bank rolling out a new API gateway that lets partner fintech apps access account balances and transaction history on behalf of their shared customers. With launch a few weeks away and a regulatory security review due shortly after, the bank needed an independent assessment that could realistically test how a malicious or compromised partner might abuse the API.

The Challenge

The gateway's authentication relied on OAuth2 client-credentials and token exchange between the bank, partner apps and downstream account services. Scope covered the authentication flows, account and transaction endpoints, rate limiting, and the partner onboarding portal.

The engagement window was tight: three weeks, end to end, with no room to extend before launch. Testing had to be focused on the areas most likely to expose customer data or money-movement risk.

Key Concerns Identified

• Critical

  Broken object-level authorization (BOLA). A partner could swap an account identifier in a transaction history request and retrieve another customer's full transaction record.

• High

  OAuth2 token replay across environments. Access tokens issued by staging were also accepted by production due to a shared signing key, allowing staging compromise to reach production.

• High

  Missing rate limiting on transaction endpoints. High-value transaction and OTP-verification endpoints had no per-account rate limiting, enabling brute-force attempts.

• Medium

  Verbose error messages. Malformed requests returned internal stack traces revealing framework versions and internal hostnames.

The Approach

We ran the engagement in three stages:

1. Reconnaissance & mapping: catalogued every endpoint, auth flow and token lifecycle across the gateway, partner portal and downstream services.
2. Targeted exploitation, which tested authorization boundaries between partner accounts, token handling, and business logic around transaction limits.
3. Remediation & retest (worked alongside the engineering team to verify fixes in staging, with a full retest before sign-off).

Outcomes Delivered

• 9 findings identified across authentication, authorization and rate-limiting controls.
• All 9 findings remediated and retested before the public launch date.
• Zero outstanding issues at launch, with evidence accepted by the bank's regulator.
• Engagement completed within the original 3-week window, with no impact to the launch schedule.

"CipherTrivia found issues in our API gateway that would have been very costly if discovered after launch. Their team explained every finding clearly and stayed engaged until each one was fixed and verified."