APIsec for OpenAPI-first APIs

The scanner ingests OpenAPI 3.0, 3.1, and Swagger 2.0 files and resolves recursive $ref chains before analysis. Parsed paths and parameters are cross-referenced with runtime responses to surface undefined schemas and security mismatches. This approach highlights differences between declared and observed behavior without requiring source code.

For an OpenAPI-first API, coverage depends on how accurately the specification reflects the runtime service. The scanner maps findings to OWASP API Top 10 (2023) and identifies issues such as missing authentication on declared endpoints, undefined security schemes, and deprecated operations. When the spec lacks examples or concrete request bodies, some path-specific logic and data exposure patterns may remain under-detected.

• Authentication — misconfigured JWT checks, missing security schemes, and header-based bypass risks
• Input Validation — CORS wildcard usage, dangerous HTTP methods, and debug endpoint exposure
• OpenAPI-specific gaps — undefined paths, missing pagination, and inconsistent parameter definitions

Authenticated scans increase coverage for APIs behind gates, but require domain verification before credentials are accepted. The domain owner must publish a verifiable DNS TXT record or an HTTP well-known file. When authenticated, only a strict allowlist of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

curl -X POST https://api.middlebrick.io/verify \
  -H "Content-Type: application/json" \
  -d '{"domain": "api.example.com", "token": "verified-dns-txt-value"}'

Findings align with compliance activities by mapping to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For frameworks outside this set, the scanner helps you prepare for audit evidence collection and aligns with security controls described in relevant standards. The tool does not certify compliance or guarantee adherence to any regulatory framework.

LLM-specific testing is included via 18 adversarial probes across Quick, Standard, and Deep tiers. These probes target system prompt extraction, instruction override attempts, and data exfiltration patterns such as base64/ROT13 encoding bypass and few-shot poisoning. Findings highlight risky model interactions without executing destructive payloads.

The scanner detects but does not remediate issues like business logic flaws or blind SSRF, which often require domain context and human judgment. OpenAPI-first workflows can miss runtime-specific behaviors when specs are incomplete; treat scan results as one input in a broader security program and combine with manual review for high-stakes audits.