APIsec for E-Commerce

E-commerce platforms expose multiple public APIs for product data, checkout flows, and account management, increasing the attack surface compared to internal services. APIsec targets the API layer where authentication, data exposure, and business logic intersect. The scanner emphasizes detection of authentication bypass, data leakage, and injection-related findings that map to OWASP API Top 10 (2023) and align with security controls described in PCI-DSS 4.0 and SOC 2 Type II.

APIsec performs a black-box scan using only read-only methods (GET and HEAD) plus text-only POST for LLM probes. It works without agents, SDKs, or code access, making it applicable to any language, framework, or cloud. The tool does not fix, patch, block, or remediate findings; it reports detected issues with remediation guidance. It does not perform active SQL injection or command injection, does not detect blind SSRF, and cannot identify business logic vulnerabilities that require domain context. It is not a replacement for a human pentester for high-stakes audits.

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023), with particular relevance to e-commerce threat models. Authentication checks cover multi-method bypass and JWT misconfigurations, including alg=none and expired tokens. BOLA and BFLA tests probe for IDOR and privilege escalation via role/permission leakage. Data exposure detection includes PII patterns such as email, Luhn-validated card numbers, context-aware SSN, and API key formats for AWS, Stripe, GitHub, and Slack. Input validation covers CORS wildcard configurations and dangerous HTTP methods. LLM security includes 18 adversarial probes across Quick, Standard, and Deep tiers, targeting system prompt extraction, instruction override, and data exfiltration scenarios common in AI-assisted e-commerce features. These findings help you prepare for compliance requirements and surface findings relevant to audit evidence for PCI-DSS and SOC 2.

Authenticated scans are available in Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. A domain verification gate using DNS TXT records or an HTTP well-known file ensures only the domain owner can scan with credentials. The scanner forwards a restricted header allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach limits exposure while enabling coverage of authenticated checkout and account management flows. Continuous monitoring in Pro tier supports scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection for new findings, resolved findings, and score drift.

APIsec provides multiple integration points for e-commerce workflows. The Web Dashboard enables scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. An MCP Server allows scans from AI coding assistants, and a programmable API supports custom integrations. Safety measures include blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.