42Crunch for Internal APIs

middleBrick is a self-service API security scanner designed for internal API coverage without requiring code access or agents. You submit a target URL and receive a risk score from A to F with prioritized findings within under a minute. The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes, making it suitable for any language, framework, or cloud deployment.

Because it operates as a black-box scanner, it does not require instrumentation, SDKs, or build pipeline changes. This approach reduces friction in internal environments where build pipelines or runtime agents are restricted. The scanner validates surface-level security behaviors, exposing misconfigurations and risky exposures that are observable from the network path.

middleBrick maps findings to three primary frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection coverage includes authentication bypass, JWT misconfigurations such as alg=none or expired tokens, security header compliance, and WWW-Authenticate handling.

The scanner identifies BOLA and IDOR through sequential ID enumeration and active adjacent-ID probing, and detects BFLA and privilege escalation via admin endpoint probing and role/permission field leakage. Input validation checks include CORS wildcard configurations with and without credentials, dangerous HTTP methods, and debug endpoints. Data exposure detection covers PII patterns such as email, Luhn-validated card numbers, context-aware SSN formats, and API key formats including AWS, Stripe, GitHub, and Slack. Additional categories include encryption checks like HTTPS redirect, HSTS, and cookie flags, SSRF probes targeting URL-accepting parameters and internal IP detection, inventory management issues such as missing versioning and server fingerprinting, unsafe consumption surfaces, and LLM/AI security probes across multiple scan tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This comparison helps identify discrepancies between declared behavior and observed runtime behavior.

For authenticated scanning at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie-based authentication. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* headers, reducing noise and potential credential leakage during scans.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection across scans to surface new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks are supported with auto-disable after 5 consecutive failures to prevent alert storms.

Integration options include a Web Dashboard for scanning, report viewing, and tracking score trends with downloadable branded compliance PDFs, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action to gate CI/CD builds when scores drop below a threshold, an MCP Server for scanning from AI coding assistants such as Claude and Cursor, and a programmable API for custom integrations.

middleBrick is a scanner that detects and reports with remediation guidance; it does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope, and it does not detect business logic vulnerabilities that require domain-specific human analysis. Blind SSRF and other out-of-band infrastructure issues are also out of scope.

The scanner follows a safety-first approach using read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand, purged within 30 days of cancellation, and is never sold or used for model training.