42Crunch for DevSecOps engineers

This scanner is a self-service API security assessment platform. Provide a target URL and receive a risk score from A to F with prioritized findings. The scan completes in under a minute using only read-only methods (GET and HEAD) and text-only POST for LLM probes. It operates as a black-box tool, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud environment.

The scanner covers 12 security categories aligned to the OWASP API Top 10 (2023). It detects authentication bypasses and JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It identifies Broken Object Level Authorization (BOLA) and Insecure Direct Object References (IDOR) through sequential ID enumeration and active adjacent-ID probing. Business Logic Level Authorization (BFLA) and privilege escalation are surfaced via admin endpoint probing and role/permission field leakage.

• Property over-exposure and internal field leakage
• Input validation issues including dangerous HTTP methods, CORS wildcard usage with credentials, and debug endpoints
• Rate limiting misconfigurations, oversized responses, and unpaginated arrays
• Data exposure including PII patterns, API key formats, and error/stack-trace leakage
• SSRF indicators in URL-accepting parameters and body fields
• LLM/AI security probes across Quick, Standard, and Deep scan tiers

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and spec findings are cross-referenced against runtime behavior to identify undefined security schemes and deprecated operations.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner maintains a strict safety posture. It uses read-only methods exclusively and blocks private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. It is designed to detect issues rather than to fix, patch, or block them.

The platform provides multiple integration paths for DevSecOps teams. The web dashboard centralizes scans, report viewing, score trend tracking, and downloadable compliance PDFs. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output.

For CI/CD pipelines, the GitHub Action can enforce quality gates and fail builds when scores drop below defined thresholds. The MCP Server enables scanning from AI coding assistants such as Claude and Cursor. Programmatic access is available via an API client for custom integrations.

Pro tier includes continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection between scans, email alerts at a rate-limited frequency of 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), supporting audit evidence for these frameworks. For other regulations, the scanner aligns with security controls described in relevant standards and helps you prepare audit documentation.

Note that the tool does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF, or replace a human pentester for high-stakes audits. The scanner reports findings and remediation guidance but does not fix, patch, block, or remediate issues directly.