Akto for Internal APIs

middleBrick is a black-box API security scanner designed for internal and partner-facing services. You submit a target URL and receive a risk score from A to F along with prioritized findings within under a minute. The scanner uses read-only methods such as GET and HEAD, with text-only POST allowed for LLM probes, ensuring no changes are made to your services.

It parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, then compares the specification against runtime behavior. This highlights discrepancies such as undefined security schemes, deprecated operations, and missing pagination that commonly affect internal API designs.

Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The engine covers authentication bypass techniques including JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and leakage of sensitive data in claims.

It detects Broken Object Level Authorization through sequential ID enumeration and active adjacent-ID probing, and identifies BFLA and privilege escalation via admin endpoint probing and role/permission field leakage. Input validation checks include CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints.

Additional coverage includes rate-limit header detection, oversized responses, and unpaginated arrays; data exposure patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and API key formats for AWS, Stripe, GitHub, and Slack; and encryption issues like missing HTTPS redirects, HSTS, and cookie flags.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials.

Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce information leakage. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and destructive payloads are never sent as part of the assessment.

The scanner includes 18 adversarial probes executed across three scan tiers: Quick, Standard, and Deep. These probes test for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, and base64 or ROT13 encoding bypasses.

Additional checks include translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. This helps surface risks specific to LLM-facing endpoints commonly found in internal services.

The Web Dashboard provides scan management, score trend tracking, branded compliance PDF downloads, and historical comparisons. The CLI supports commands such as middlebrick scan <url> with JSON or text output, and the GitHub Action can fail builds when scores drop below a defined threshold.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection for new and resolved findings. HMAC-SHA256 signed webhooks deliver alerts, and email notifications are rate-limited to one per hour per API.

The tool does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection testing, detect business logic vulnerabilities, or provide blind SSRF detection. It is not a replacement for a human pentester in high-stakes audit scenarios.