APIsec for Mobile backends

APIsec is a self-service API security scanner designed for backend endpoints that support mobile applications. Submit a URL to receive a risk score from A to F and a prioritized list of findings. The scanner operates in black-box mode, requiring no agents, code access, or SDK integration, and works with any language, framework, or cloud. Scan times are under one minute, using read-only methods plus text-only POST for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), which maps findings to critical controls relevant to mobile backend surfaces. It covers authentication bypass and JWT misconfigurations such as alg=none, weak secret key usage, expired tokens, and missing claims. It detects BOLA and IDOR through sequential ID enumeration and active adjacent-ID probing. Other categories include BFLA and privilege escalation via admin endpoint probing, property authorization over-exposure, input validation issues like CORS wildcard misconfigurations, rate limiting and oversized response detection, and exposure of PII and API key patterns. Additional coverage includes SSRF against URL-accepting parameters, inventory and versioning weaknesses, and unsafe consumption surfaces such as exposed webhooks. For AI-related risks, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers, targeting LLM-specific attack chains including prompt injection and token smuggling.

APIsec parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, then cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer, API key, Basic auth, and Cookie. Authenticated scans require domain verification via DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard centralizes scan records, score trends, and branded compliance PDF generation. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing builds when scores drop below a threshold. The MCP Server enables scanning from AI coding assistants. Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection for new and resolved findings, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

APIsec does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside the scope. Business logic vulnerabilities are not detected, as they require domain-specific human analysis. Blind SSRF is out of scope due to the lack of out-of-band infrastructure. The scanner is not a replacement for a human pentester in high-stakes audits.

findings map to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The scanner helps you prepare for audits and supports audit evidence for security reviews without asserting certification or compliance guarantees. Safety measures include read-only testing only, blocking destructive payloads, filtering private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand within 30 days of cancellation. Customer data is never sold or used for model training.