42Crunch for Mobile backends

Mobile backends expose multiple public endpoints that must behave correctly under malformed or adversarial input. This scanner assesses those endpoints using read-only methods (GET and HEAD) plus text-only POST for LLM probes, without requiring code access or agents. It operates as a black-box solution, compatible with any language, framework, or cloud hosting model, and completes a scan in under a minute.

The scanner evaluates 12 security categories mapped to the OWASP API Top 10 (2023). It checks authentication bypasses and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and detects BFLA and privilege escalation through admin endpoint probing and role/permission field leakage.

• Property over-exposure and internal field leakage are flagged as mass-assignment surface issues.
• Input validation findings include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints.
• Rate limiting and resource consumption are assessed via rate-limit header detection, oversized responses, and unpaginated arrays.
• Data exposure covers PII patterns such as email, Luhn-validated card numbers, context-aware SSN, API key formats (AWS, Stripe, GitHub, Slack), and error or stack-trace leakage.
• Encryption checks verify HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF detection targets URL-accepting parameters and body fields, with internal IP detection and active IP-bypass probes.
• Inventory management findings highlight missing versioning, legacy path patterns, and server fingerprinting.
• Unsafe consumption surfaces include excessive third-party URLs and webhook/callback exposure.
• LLM and AI security probes cover 18 adversarial techniques across three scan tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

OpenAPI definitions are parsed in versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scans, available from the Starter tier upward, support Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate checks a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials.

Header forwarding is restricted to an allowlist that includes Authorization, X-API-Key, Cookie, and X-Custom-* headers. This controlled approach limits the attack surface while still enabling coverage of authenticated workflows.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output.

A GitHub Action can gate CI/CD pipelines, failing builds when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants such as Claude and Cursor.

For ongoing risk tracking, the Pro tier provides scheduled rescans (every 6 hours, daily, weekly, or monthly), diff detection across scans to highlight new findings, resolved findings, and score drift, and rate-limited email alerts (1 per hour per API). Webhooks are HMAC-SHA256 signed and auto-disabled after 5 consecutive failures.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection tests, as those require intrusive payloads outside the scope. Business logic vulnerabilities are not detected, as they require domain-specific human analysis.

Blind SSRF is out of scope due to the absence of out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits.

Safety measures include read-only methods only, blocking of destructive payloads, and filtering of private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand, purged within 30 days of cancellation, and is never sold or used for model training.

findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the scanner helps you prepare for audits by aligning with security controls described in relevant frameworks and supporting audit evidence for your assessments. It is a scanning tool and not an auditor, so it cannot certify or guarantee compliance with any regulation.