Astra for Fintech

Financial APIs move sensitive payment and identity data, so security must be precise and verifiable. middleBrick maps findings to OWASP API Top 10, covers requirements of PCI-DSS 4.0, and supports audit evidence for SOC 2 Type II. The scanner operates as a black-box tool, submitting only read-only methods to observe runtime behavior without altering systems.

middleBrick is a self-service API security scanner that submits a URL and returns a risk score from A to F with prioritized findings. Scan time is under a minute using GET and HEAD methods, with text-only POST for LLM probes. It does not fix, patch, block, or remediate, and it does not perform active SQL injection or command injection, as those require intrusive payloads outside scope. It also does not detect business logic vulnerabilities, blind SSRF, or replace a human pentester for high-stakes audits.

The scanner evaluates 12 categories aligned to OWASP API Top 10. These include authentication bypass and JWT misconfigurations such as alg=none and expired claims, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, and property authorization issues like over-exposed internal fields. Input validation checks for CORS wildcard usage and dangerous HTTP methods, while rate limiting detection reviews headers and oversized responses. Data exposure identifies PII patterns, API key formats, and error leakage, and encryption checks enforce HTTPS, HSTS, and cookie flags. SSRF detection targets URL-accepting parameters and internal IP probing, and inventory management flags missing versioning and legacy paths.

Authenticated scanning (Starter tier and above) supports Bearer, API key, Basic auth, and Cookie methods, gated by domain verification to ensure only domain owners can scan with credentials. Header allowlist is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. middleBrick helps you prepare for regulatory alignment with security controls described in PCI-DSS 4.0 and SOC 2 Type II, and surfaces findings relevant to OWASP API Top 10 (2023).

The Web Dashboard provides a centralized view for scanning, reporting, and tracking score trends, with branded compliance PDFs available for sharing. The CLI via the middlebrick npm package supports command-line scans with JSON or text output. A GitHub Action can enforce CI/CD gates by failing builds when scores drop below a set threshold. An MCP Server enables scanning from AI coding assistants, and an API client allows custom integrations for continuous monitoring workflows.