42Crunch for E-Commerce

E-commerce APIs expose payment flows, customer data, and inventory state. Attackers target authentication bypass, data exposure, and privilege escalation to influence pricing, inventory, or account takeovers. middleBrick maps findings to OWASP API Top 10 (2023) and supports audit evidence for PCI-DSS 4.0 and SOC 2 Type II by surfacing misconfigurations relevant to these frameworks.

middleBrick performs black-box scanning with no agents, SDKs, or code access. It sends read-only methods (GET and HEAD) and text-only POST for LLM probes, completing scans in under a minute. The scanner checks authentication, BOLA / IDOR, BFLA / Privilege Escalation, Property Authorization, Input Validation, Rate Limiting & Resource Consumption, Data Exposure, Encryption, SSRF, Inventory Management, Unsafe Consumption, and LLM / AI Security. Sensitive operations such as SQL injection or command injection are out of scope, and destructive payloads are never sent.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings. Authenticated scanning supports Bearer, API key, Basic auth, and Cookie, gated by domain verification so only domain owners can scan with credentials. Header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*, ensuring controlled credential use while helping you prepare for security control validation aligned with compliance activities.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection for new findings, resolved findings, and score drift. Email alerts are rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures. Integrations include a CLI (middlebrick scan <url>), GitHub Action CI/CD gates, MCP Server for AI coding assistants, and a web dashboard for tracking score trends and downloading compliance PDFs. This setup supports audit evidence generation and aligns with security controls described in relevant standards.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not detect business logic vulnerabilities, blind SSRF (out-of-band infrastructure is out of scope), or replace a human pentester for high-stakes audits. The scanner avoids private IPs, localhost, and cloud metadata endpoints across three layers, and customer data is deletable on demand, purged within 30 days of cancellation, never sold, and never used for model training.