Alternatives to APIsec in Education

In academic and research settings, API assets often include public course portals, library catalogs, registration services, and lab instrumentation interfaces. These environments mix student data, research records, and operational systems, making exposure management important. This tool is a scanner that submits a URL and receives a risk score from A to F with prioritized findings. It operates as a black-box solution, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud. Scan duration is under one minute, using read-only methods and text-only POST for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It detects authentication issues such as multi-method bypass and JWT misconfigurations including alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It identifies broken object level authorization and function level authorization abuse, including sequential ID enumeration, adjacent ID probing, admin endpoint probing, and privilege escalation via role or permission field leakage. It surfaces over-exposed data and internal field leakage relevant to property authorization, and input validation issues such as CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Other categories include rate limiting and resource consumption, data exposure patterns like emails, Luhn-validated cards, context-aware SSNs, API key formats, and error or stack trace leakage. Encryption checks cover HTTPS redirects, HSTS, cookie flags, and mixed content. SSRF probes target URL-accepting parameters and body fields, including internal IP detection and IP-bypass attempts. Inventory management checks for missing versioning, legacy paths, and server fingerprinting. Unsafe consumption surfaces excessive third-party URLs and webhook/callback exposure. The scanner includes 18 adversarial LLM security probes across Quick, Standard, and Deep tiers, covering system prompt extraction, instruction override, jailbreaks, data exfiltration, cost exploitation, encoding bypasses, injection techniques, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime findings to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, which are available from the Starter tier upward, it supports Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard provides a centralized view for scanning, report review, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing the build when the score drops below a defined threshold. An MCP Server allows scans from AI coding assistants including Claude and Cursor. A flexible API client supports custom integrations for existing workflows.

Pro tier adds scheduled rescans at intervals of six hours, daily, weekly, or monthly. It detects differences across scans, highlighting new findings, resolved findings, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after five consecutive failures. Customer scan data can be deleted on demand and is purged within 30 days of cancellation. Data is never sold and is not used for model training.