APIsec for Education

middleBrick is a self-service API security scanner that operates as a black-box solution. You submit a URL and receive a risk score graded A through F, along with prioritized findings. The scanner uses only read-only methods, including GET and HEAD, plus text-only POST for LLM probes, and completes in under a minute. It requires no agents, no code access, and no SDK integration, making it applicable to any language, framework, or cloud environment.

The scanner detects issues across 12 categories aligned to the OWASP API Top 10 (2023). It identifies authentication bypasses and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. Other categories include BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, property authorization over-exposure, input validation issues like CORS wildcard usage, rate limiting header detection, data exposure including PII and API key formats, encryption misconfigurations, SSRF probes against URL-accepting parameters, inventory management gaps, unsafe consumption surfaces, and LLM security probes across tiered scan depths. For each finding, the tool maps findings to OWASP API Top 10 (2023) to help you validate controls.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, cross-referencing spec definitions against runtime observations. This comparison highlights undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard provides a central location to view scans, track score trends, download branded compliance PDFs, and manage findings. The CLI, available as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD pipelines and fail builds when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants like Claude and Cursor. For ongoing oversight, the Pro tier offers scheduled rescans at intervals ranging from every 6 hours to monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

The scanner employs a read-only posture and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and never used for model training. The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which falls outside its scope. Business logic vulnerabilities require human expertise, and blind SSRF is out of scope due to the lack of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits.