42Crunch for API marketplaces

What middleBrick covers

Black-box scanning with no agents, SDKs, or code access required
Supports OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution
Covers OWASP API Top 10 (2023), SOC 2 Type II, and PCI-DSS 4.0 mapping
LLM/AI security probes across Quick, Standard, and Deep scan tiers
Authenticated scanning with header allowlist and domain verification
Continuous monitoring with diff detection and configurable alerts

Scan coverage for API marketplace topologies

API marketplaces expose many endpoints, including developer portals, monetization gateways, and analytics ingestion paths. middleBrick scans these surfaces using black-box techniques, exercising only safe HTTP methods. The scanner maps findings to three frameworks, including OWASP API Top 10 (2023), and supports audit evidence for SOC 2 Type II and PCI-DSS 4.0 controls.

Authentication and authorization checks

Marketplace backends often mix authentication schemes for partners and consumers. The scanner tests Bearer, API key, Basic auth, and cookie-based flows while checking JWT configurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It also validates security headers and WWW-Authenticate compliance, and it supports authenticated scanning for Bearer, API key, Basic auth, and Cookie when a domain verification gate is passed.

Business logic and data exposure risks

Common marketplace risks include ID enumeration, privilege escalation, over-exposed object properties, and PII leakage. middleBrick probes for sequential ID patterns, admin endpoint exposure, role/permission field leaks, over-exposure of internal fields, mass-assignment surfaces, and data exposure issues such as email patterns, Luhn-validated card numbers, context-aware SSN formats, and API key formats (AWS, Stripe, GitHub, Slack). Error and stack-trace leakage are also detected to reduce information disclosure.

Input validation and infrastructure safety

URL-accepting parameters and body fields are checked for SSRF indicators, including internal IP detection and active IP-bypass probes. Dangerous HTTP methods, CORS wildcards (with and without credentials), debug endpoints, and oversized responses are surfaced. The scanner blocks private IPs, localhost, and cloud metadata endpoints at multiple layers and only sends read-only methods, ensuring no destructive payloads are delivered.

LLM/AI security and OpenAPI analysis

For AI-enabled marketplaces, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers, targeting system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, prompt injection variants, token smuggling, tool-abuse, nested instruction injection, and PII extraction. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Frequently Asked Questions

Does the scanner test for SQL injection or command injection?

No. The scanner does not perform active SQL injection or command injection tests, as those require intrusive payloads outside its scope.

Can authenticated scans be run in CI for API marketplaces?

Yes. Authenticated scans with Bearer, API key, Basic auth, and Cookie are supported from Starter tier and above, provided the domain verification gate is completed.

What happens to scan data after account cancellation?

Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and never used for model training.

Does the scanner fix vulnerabilities or block attacks?

No. The scanner detects and reports findings with remediation guidance. It does not fix, patch, block, or remediate.