42Crunch for OpenAPI-first APIs

The scanner ingests OpenAPI 3.0, 3.1, and Swagger 2.0 files and resolves recursive $ref chains to build a complete interface model. It cross-references the spec definitions against runtime behavior to highlight undefined security schemes, deprecated operations, and missing pagination rules.

For OpenAPI-first APIs, this means coverage extends to declared request and response structures, parameter locations, and schema definitions. The scanner compares the declared contract with observed interactions to surface discrepancies such as undocumented endpoints, schema over-exposure, and operations lacking defined security requirements.

Findings map to OWASP API Top 10 (2023), and the scanner also aligns with security controls described in PCI-DSS 4.0 and SOC 2 Type II. These mappings help you prepare for audits and provide evidence for specific control objectives without asserting certification or compliance.

Detection includes authentication bypass attempts, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID probing, and BFLA through admin endpoint discovery and role/permission leakage. Input validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints.

During analysis, the tool parses operation parameters, request and response schemas, and security requirements defined in the spec. It flags missing authentication on sensitive operations, over-exposed internal fields, and mass-assignment surfaces that could enable property authorization issues.

Where the spec defines server variables and expected formats, the scanner validates inputs against declared patterns and enumerations. Undefined security schemes and deprecated paths are surfaced as findings, helping you identify maintenance debt that increases risk over time.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials.

When credentials are provided, the scanner uses a strict header allowlist that includes Authorization, X-API-Key, Cookie, and X-Custom-* headers. This minimizes unnecessary data exposure while still exercising authenticated flows defined in the OpenAPI spec.

The scanner does not execute active SQL injection or command injection payloads, as those require intrusive testing outside its scope. It does not detect business logic vulnerabilities, which demand domain context and human analysis.

Blind SSRF and out-of-band channels are not covered, and the tool does not replace a human pentester for high-stakes audits. It focuses on detection and guidance rather than remediation, providing findings relevant to broader audit evidence and control validation efforts.