42Crunch for AppSec engineers

middleBrick is a self-service API security scanner that operates without agents, SDKs, or code access. You submit a target URL and receive a risk score from A to F with prioritized findings within under a minute. The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes, making it compatible with any language, framework, or cloud environment.

Because it is black-box, there is no dependency on implementation details or build pipelines. The scanner validates runtime behavior, including security headers, HTTP method exposure, and response data patterns. This approach suits teams that need to assess APIs already in production without requiring instrumentation or changes to the deployment pipeline.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). Findings map directly to PCI-DSS 4.0 and SOC 2 Type II control objectives, helping you prepare for audits against these frameworks.

• Authentication — multi-method bypass, JWT misconfigurations such as alg=none or expired tokens, and security header compliance.
• BOLA / IDOR — sequential ID enumeration and active adjacent-ID probing.
• BFLA / Privilege Escalation — admin endpoint probing and role/permission field leakage.
• Property Authorization — over-exposure and internal field leakage relevant to mass-assignment surface.
• Input Validation — CORS wildcard usage with and without credentials and dangerous HTTP methods.
• Rate Limiting & Resource Consumption — detection of rate-limit headers and oversized responses.
• Data Exposure — PII patterns including email and context-aware SSN, as well as API key formats for AWS, Stripe, GitHub, and Slack.
• Encryption — HTTPS redirect, HSTS, cookie flags, and mixed content checks.
• SSRF — URL-accepting parameters and body fields with internal IP detection.
• LLM / AI Security — adversarial probes across Quick, Standard, and Deep tiers covering system prompt extraction, instruction override, and token smuggling.

For other frameworks, the scanner surfaces findings relevant to audit evidence for regulations referenced by alignment, such as NIST and ISO 27001, without asserting certification or compliance guarantees.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials.

Header forwarding is limited to an allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers. This control reduces risk while still allowing necessary context for deeper assessment. The scanner respects read-only methods and blocks destructive payloads, private IPs, localhost, and cloud metadata endpoints at multiple layers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

By comparing the contract to actual behavior, the scanner identifies mismatches such as undocumented endpoints, unexpected methods, or inconsistent authentication requirements. This helps teams maintain an accurate security posture as APIs evolve.

openapi: 3.0.3
info:
  title: Sample API
  version: 1.0.0
paths:
  /users/{id}:
    get:
      summary: Get user by ID
      securitySchemes:
        bearerAuth:
          type: http
          scheme: bearer
      responses:
        '200':
          description: OK

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing builds when the score drops below a defined threshold.

Pro tier adds continuous monitoring with scheduled rescans every six hours, daily, weekly, or monthly. It provides diff detection across scans, email alerts at a rate-limited cadence of one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. The MCP Server allows scanning from AI coding assistants such as Claude and Cursor.