42Crunch for Education

This is a self-service API security scanner that operates as a black-box solution. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scanner uses only read-only methods such as GET and HEAD, with text-only POST allowed for LLM probes. Scan completion typically occurs in under one minute, requiring no agents, no code access, and no SDK integration. It supports any language, framework, or cloud environment without instrumentation.

The scanner covers 12 security categories aligned to the OWASP API Top 10 (2023). Detection capabilities include authentication bypass and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR through sequential ID enumeration and active adjacent-ID probing, and BFLA via admin endpoint probing and privilege escalation indicators. The scanner surfaces property over-exposure and mass-assignment risks, validates input controls including CORS misconfigurations and dangerous HTTP methods, and detects rate-limiting behaviors and oversized responses. Data exposure checks include PII patterns, Luhn-validated card numbers, context-aware SSN detection, API key format recognition, and error or stack-trace leakage. Encryption checks verify HTTPS redirects, HSTS presence, and cookie flags. SSRF probes target URL-accepting parameters and internal IP detection. Inventory checks cover missing versioning and legacy paths, while unsafe consumption identifies excessive third-party URLs and webhook surfaces. LLM security includes 18 adversarial probes across Quick, Standard, and Deep tiers, testing for system prompt extraction, jailbreak techniques, data exfiltration, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the specification definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This approach helps identify discrepancies between documented and actual behavior without requiring access to source code or build artifacts.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or HTTP well-known files to ensure only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety controls include read-only methods only, blocking of destructive payloads, and exclusion of private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never used for model training.

The Web Dashboard provides centralized scan management, report viewing, score trend tracking, and downloadable compliance PDFs. The CLI, distributed as an npm package, supports commands such as middlebrick scan with JSON or text output. A GitHub Action enables CI/CD gating, failing builds when scores drop below defined thresholds. An MCP Server allows scanning from AI coding assistants, and a programmatic API supports custom integrations. Continuous monitoring in the Pro tier offers scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection for new and resolved findings. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after five consecutive failures. Pricing tiers include a free plan with three monthly scans and CLI access, Starter at 99 USD per month for 15 APIs, Pro at 499 USD per month for 100 APIs with continuous monitoring and CI/CD integration, and Enterprise at 2000 USD per month for unlimited APIs and dedicated support.