Akto for API marketplaces

API marketplaces expose a large surface through public portals, documentation, and developer portals that often integrate multiple backend services. The primary risk in this environment is authorization failures, where one consumer can access another consumer’s data or administrative functions. Black-box scanning is effective here because it evaluates the live endpoints without requiring source code or build artifacts. middleBrick runs read-only checks against marketplace APIs to surface authentication weaknesses, IDOR patterns, and exposure of sensitive data without executing destructive payloads.

middleBrick maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls. Detection includes authentication bypass attempts, JWT misconfigurations such as alg=none or missing claims, and security header inconsistencies including WWW-Authenticate compliance. The scanner identifies BOLA and BFLA indicators like sequential ID enumeration, admin endpoint exposure, and role/permission field leakage. Input validation checks cover CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Data exposure findings include PII patterns, Luhn-validated card numbers, API key formats for AWS and GitHub, error and stack-trace leakage, and unencrypted transport indicators.

Marketplace APIs that expose LLM or AI features are assessed with 18 adversarial probes across Quick, Standard, and Deep scan tiers. These checks target system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration paths, cost exploitation, base64 and ROT13 encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse scenarios, nested instruction injection, and PII extraction. The scanner evaluates how API contracts handle untrusted input and whether model instructions can be inadvertently altered through crafted payloads.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior. It flags undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination. For authenticated scans, which require at least the Starter tier, supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced via DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. Forwarded headers are limited to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce noise and credential leakage.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved items, and score drift. Alerts are delivered via email at a rate-limited frequency of one per hour per API, and HMAC-SHA256 signed webhooks disable automatically after 5 consecutive failures. The scanner integrates into CI/CD through a GitHub Action that can fail builds when scores drop below a defined threshold. An MCP server allows scanning from AI coding assistants, and the CLI supports JSON and text output for scripting. Note that the tool detects issues and provides remediation guidance but does not patch, block, or remediate findings automatically.