42Crunch for Public APIs

This scanner is a self-service black-box security tool for public APIs. You submit a reachable URL and receive a risk score from A to F along with prioritized findings. The scan uses read-only methods such as GET and HEAD, with text-only POST support for LLM probes, and completes in under a minute.

The scanner maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II, and helps you prepare for controls related to other regulations. It detects 12 security categories, including authentication bypass, broken object level authorization, broken function level authorization, property authorization over-exposure, input validation issues such as CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption, data exposure including PII and API key patterns, encryption misconfigurations, SSRF indicators, inventory management problems, unsafe consumption surfaces, and LLM / AI security adversarial probes across multiple scan tiers.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scans are available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner only forwards a limited allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

Safety measures include read-only checks only, blocking of private IPs, localhost, and cloud metadata endpoints at multiple layers, and on-demand deletion of customer scan data within 30 days of cancellation. The tool does not fix, patch, or remediate issues, and it does not perform active SQL injection or command injection testing.

The Web Dashboard centralizes scans, reports, and score trend tracking, and can generate branded compliance PDFs. The CLI supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after five consecutive failures.

The Free tier provides three scans per month and CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. Pro at 499 dollars per month supports 100 APIs with additional APIs priced at 7 dollars each, continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month offers unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

Customer data is never sold and is not used for model training. Data is deletable on demand and purged within 30 days of account cancellation.

The scanner does not perform active exploitation such as SQL injection or command injection, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. Findings are provided with remediation guidance, but the tool does not fix, patch, block, or certify compliance with any standard.