Is 42Crunch good for Auditor-requested API inventory?

Try middleBrick free

What middleBrick covers

  • OpenAPI 3.0/3.1 and Swagger 2.0 parsing with recursive $ref resolution
  • 12 OWASP API Top 10 detection categories with remediation guidance
  • Read-only scanning with no agents, SDKs, or code access required
  • Authenticated scans with Bearer, API key, Basic auth, and cookies
  • LLM/AI security adversarial probes across three scan tiers
  • Risk score grading from A to F with prioritized findings

Inventory coverage and OpenAPI analysis

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This supports audit evidence for inventory completeness and alignment with API design standards.

Detection scope aligned to OWASP API Top 10

The scanner covers authentication bypass, JWT misconfigurations, BOLA and IDOR via sequential ID and adjacent-ID probing, BFLA and privilege escalation through admin endpoint probing, property over-exposure, input validation issues such as CORS wildcard usage and dangerous HTTP methods, rate-limiting indicators, and data exposure including PII patterns and API key formats. It also maps findings to OWASP API Top 10 (2023) and provides remediation guidance without attempting to fix or block endpoints.

Authenticated scanning and safety posture

Authenticated scanning supports Bearer, API key, Basic auth, and cookies, gated by domain verification using DNS TXT records or HTTP well-known files. Only a header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers is forwarded. The scanner is read-only, with destructive payloads never sent, private IPs and cloud metadata endpoints blocked, and customer data deletable on demand within 30 days of cancellation.

LLM and AI security probing

The scanner includes 18 adversarial probes across Quick, Standard, and Deep tiers targeting LLM/AI security. These probes test for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Findings highlight model-facing risks without attempting to modify or block model behavior.

Limitations and alternative approaches

The scanner does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not identify blind SSRF due to lack of out-of-band infrastructure. It also does not replace a human pentester for high-stakes audits. For comprehensive auditor-requested API inventory, combining this scanner with manual asset validation and architecture review is recommended.

See how middleBrick compares See all use cases

Frequently Asked Questions

Does the scanner map findings to compliance frameworks?
It maps findings directly to OWASP API Top 10 (2023) and supports evidence collection for SOC 2 Type II and PCI-DSS 4.0. For other frameworks, it helps you prepare for and align with security controls described in them.
Can authenticated scans be run in CI/CD?
Authenticated scanning is available from the Starter tier onward. You can provide credentials and domain verification to include authenticated checks in your pipeline.
How are new findings surfaced and tracked?
Continuous monitoring (Pro tier) performs scheduled rescans, diffs findings, and sends email alerts rate-limited to one per hour per API. Webhooks are HMAC-SHA256 signed and auto-disabled after five consecutive failures.
Is sensitive data retained or used for model training?
Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and never used for model training.
Does the scanner fix vulnerabilities?
The scanner detects and reports findings with remediation guidance. It does not fix, patch, block, or remediate issues directly.

Related Pages

Is Detectify worth it in 2026?Honest take on whether Detectify earns its price tag for API security.Is Noname Security worth it in 2026?Honest take on whether Noname Security earns its price tag for API security.Is Salt Security worth it in 2026?Honest take on whether Salt Security earns its price tag for API security.Wallarm for CI/CD security gateDoes Wallarm fit a CI/CD security gate workflow?Wallarm for M&A due diligence auditDoes Wallarm fit a M&A due diligence audit workflow?Wallarm for Pre-production staging scanDoes Wallarm fit a Pre-production staging scan workflow?