42Crunch for LLM chat endpoints

LLM chat endpoints expose conversational interfaces that accept free-form input and return generated text. These surfaces can inadvertently leak system instructions, reveal tool usage patterns, and enable prompt manipulation if left unchecked. middleBrick scans these endpoints using only read-only text-based probes, avoiding any runtime state changes.

The scanner executes 18 adversarial probes across three scan tiers to evaluate LLM chat robustness. Quick runs validate basic prompt boundary adherence, Standard checks for instruction override and data exfiltration indicators, and Deep probes chain techniques such as base64/ROT13 encoding bypass, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, and indirect prompt injection.

Each probe maps findings to OWASP API Top 10 (2023) categories, focusing on unsafe consumption and LLM/AI Security. The tests include system prompt extraction attempts, DAN and roleplay jailbreaks, cost exploitation, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction checks.

middleBrick does not perform active SQL injection or command injection against LLM backends, as those tests require intrusive payloads outside the scanner scope. Business logic vulnerabilities inherent to your domain, such as authorization bypass in multi-step conversations, require human review and cannot be automatically detected.

The scanner does not test blind SSRF paths that rely on out-of-band infrastructure. It focuses on observable input-output behaviors and does not attempt to establish covert channels to external systems.

If an OpenAPI 3.0, 3.1, or Swagger 2.0 definition is available, middleBrick parses the document and resolves recursive $ref structures. The scan cross-references defined security schemes and operations against runtime findings to surface undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination safeguards.

This comparison helps identify deviations between documented contract and actual behavior, supporting audit evidence for controls described in SOC 2 Type II and PCI-DSS 4.0.

Authenticated scans for LLM chat endpoints are supported with Bearer, API key, Basic auth, or Cookies. Domain verification via DNS TXT record or HTTP well-known file ensures that only the domain owner can submit credentials.

Findings are delivered through the Web Dashboard with trend tracking, downloadable compliance PDFs aligned to PCI-DSS 4.0 and SOC 2 Type II, and optional email alerts. The Pro tier adds continuous monitoring with scheduled rescans, diff detection, and HMAC-SHA256 signed webhooks.