42Crunch for Backend engineers

middleBrick is a self-service API security scanner designed for backend workflows. You submit an API endpoint, and the service returns a risk score from A to F along with prioritized findings. The scanner operates as a black-box solution with no agents, no SDK, and no access to your source code. It supports any language, framework, or cloud environment and completes a scan in under one minute.

The scanner covers 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0 and SOC 2 Type II controls where applicable. Detection capabilities include authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential and adjacent ID probing, BFLA and privilege escalation attempts, over-exposed properties, input validation issues like CORS wildcard usage, rate-limiting behavior, sensitive data exposure including PII and API key patterns, encryption misconfigurations, SSRF indicators, and inventory management gaps. An LLM security mode runs 18 adversarial probes across Quick, Standard, and Deep tiers to assess system prompt extraction, jailbreak techniques, and data exfiltration risks.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 files with recursive $ref resolution. It cross-references the spec against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can enable credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

With Pro tier, you can schedule rescans every 6 hours, daily, weekly, or monthly. The system detects diffs between scans to highlight new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API and can be delivered via Slack or Teams. HMAC-SHA256 signed webhooks are included, with auto-disable after five consecutive failures. Integration options include a web dashboard for reporting and trends, a CLI via the middlebrick npm package, a GitHub Action for CI/CD gating, and an MCP server for use with AI coding assistants.

The scanner uses read-only methods and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data can be deleted on demand and is purged within 30 days of cancellation. The tool does not fix, patch, or block issues; it provides detection and remediation guidance. It does not perform active SQL injection or command injection testing, detect business logic flaws, or identify blind SSRF. It is not a replacement for a human pentester in high-stakes audits.