42Crunch for LLM agent tool endpoints

LLM agent workflows often expose internal and external tool endpoints to model-generated requests. These endpoints can include code execution, file system operations, database queries, and third-party actions. The risk surface arises when prompts or tool outputs are not strictly validated, potentially allowing prompt injection, unauthorized tool selection, or data leakage. Tool endpoints must enforce strict input validation, authentication, and authorization, because models may generate arguments that were not intended for production use.

middleBrick maps findings directly to OWASP API Top 10 (2023), which covers common misconfigurations that affect LLM agent tool endpoints, such as improper authentication and excessive data exposure. The scanner also surfaces findings relevant to security controls described in SOC 2 Type II and helps you prepare for PCI-DSS 4.0 requirements related to access control and logging. By analyzing your API definitions and runtime behavior, it identifies authentication bypass risks, sensitive parameter leakage, and unsafe HTTP methods that could be exploited in agent tool chains.

Using read-only methods (GET, HEAD, and text-only POST), middleBrick probes LLM agent tool endpoints for common vulnerabilities without sending destructive payloads. It checks for authentication weaknesses, including JWT misconfigurations and missing security headers, and detects BOLA-style ID manipulation that could allow agents to access other users’ tool data. The scanner also identifies input validation gaps such as CORS wildcard usage, dangerous HTTP methods, and debug endpoints that could be leveraged for prompt injection or tool manipulation.

For LLM-specific risks, the scanner runs 18 adversarial probes across three scan tiers, focusing on system prompt extraction, instruction override attempts, jailbreak techniques, and data exfiltration paths. These probes assess how endpoints respond to encoded, translated, or poisoned inputs, including base64/ROT13 bypasses, few-shot poisoning, and token smuggling attempts that could mislead agent tool selection or argument parsing.

OpenAPI analysis helps contextualize these findings by cross-referencing spec definitions against runtime behavior, highlighting undefined security schemes, deprecated operations, and missing pagination that can affect agent reliability.

middleBrick is a scanner that detects and reports; it does not fix, patch, or block. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside the intended scope for LLM agent tool endpoints. The scanner does not detect business logic vulnerabilities, which require domain-specific understanding of how agents select and invoke tools. It also does not assess blind SSRF or replace a human pentester for high-stakes audits. If your workflow depends on strict guarantees, treat scanner output as one layer of review within a broader security program.

For LLM agent tool endpoints that require authentication, use the Starter tier or higher to submit Bearer tokens, API keys, Basic auth, or cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, including Authorization and X-API-Key, to reduce noise. You can integrate scans via the CLI with JSON output for automation, or through the web dashboard to track score trends and download compliance reports.

Example CLI usage for a protected endpoint:

middlebrick scan https://api.example.com/v1/tools

Use cases include validating tool endpoint hygiene before agent deployment and detecting accidental exposure of internal tool interfaces.