Akto for Backend engineers

middleBrick is a self-service API security scanner designed for backend workflows. You submit an API endpoint URL and receive a risk score from A to F with prioritized findings. The scanner operates as a black-box solution, requiring no agents, SDKs, or code access. It supports any language, framework, or cloud stack and completes scans in under a minute. Only read-only methods, such as GET and HEAD, plus text-only POST probes for LLM endpoints are used.

The scanner detects findings across 12 categories aligned to the OWASP API Top 10 (2023). These include authentication bypass and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It also identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role/permission leakage. Additional categories cover property authorization over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption signals, and data exposure patterns including PII, API keys, and error leakage. Encryption checks verify HTTPS redirects, HSTS, and cookie flags. The tool also probes SSRF indicators and unsafe consumption surfaces, and includes 18 LLM security probes across multiple scan tiers.

• Authentication and security header compliance.
• BOLA / IDOR via ID enumeration and probing.
• BFLA / privilege escalation attempts.
• Property authorization and data exposure.
• Input validation and SSRF indicators.
• LLM adversarial probe results.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can run scans with credentials. The scanner forwards a strict header allowlist, limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

middlebrick scan https://api.example.com/openapi.json --auth-type bearer --token YOUR_TOKEN

The Web Dashboard centralizes scan results, score trends, and report downloads with branded compliance PDFs. The CLI, distributed as an npm package, enables scriptable scanning with JSON or text output. A GitHub Action can integrate scanning into CI/CD pipelines and fail builds when scores drop below a defined threshold. The MCP Server allows scans from AI coding assistants such as Claude and Cursor.

Pro tier adds continuous monitoring, including scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved issues, and score drift over time. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks include auto-disable after five consecutive failures.

The scanner uses read-only methods only and never sends destructive payloads. Internal infrastructure elements such as private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is not sold and is not used for model training.

middleBrick does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. Business logic vulnerabilities are also outside detection capabilities and require domain expertise. Blind SSRF and other out-of-band infrastructure issues are not in scope, and the tool does not replace a human pentester for high-stakes audits.