42Crunch as a API fuzzer

An API fuzzer sends malformed, unexpected, or semi-valid requests to an endpoint to observe deviations in behavior, with the goal of discovering crashes, data leaks, or inconsistent error handling. 42Crunch operates as a specialized scanner focused on security posture rather than deep functional exploration. It does not perform intrusive payload delivery such as active SQL injection or command injection, which require destructive input sequences outside its scope.

The tool emphasizes read-only interaction, using GET and HEAD methods along with text-only POST for LLM probes. Because it avoids destructive testing, it is complementary to but not a replacement for dedicated fuzzing or penetration testing activities that involve protocol-level mutation and business logic abuse.

middleBrick maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). These mappings help you align security evidence with established control objectives without implying certification or guaranteed compliance.

For other regulations, the scanner supports audit evidence collection and helps you prepare for assessments by surfacing findings relevant to controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA, and similar frameworks. Use the reported evidence to inform your own risk analysis and policy decisions.

The scanner evaluates 12 categories aligned to OWASP API Top 10, including authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation through role leakage, and property authorization over-exposure. It also checks input validation via CORS wildcard usage and dangerous HTTP methods, rate limiting headers and oversized responses, data exposure patterns including PII and API key formats, encryption issues like missing HSTS, SSRF indicators in URL-accepting parameters, inventory risks such as missing versioning, unsafe consumption surfaces, and LLM/AI security probes across multiple tiers.

OpenAPI analysis is included for versions 3.0, 3.1, and Swagger 2.0, with recursive $ref resolution to cross-reference spec definitions against runtime behavior. This highlights undefined security schemes, sensitive fields, deprecated operations, and missing pagination directly in the context of your specification.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials.

The scanner enforces a strict header allowlist, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. Read-only methods are strictly enforced, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand, purged within 30 days of cancellation, never sold, and never used for model training.

Deliverables include a Web Dashboard for scan management and trend tracking, CLI access via an npm package with JSON or text output, a GitHub Action for CI/CD gating, an MCP Server for AI coding assistants, and a programmatic API for custom integrations. Continuous monitoring on Pro tiers supports scheduled rescans, diff detection, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

The tool explicitly does not fix, patch, block, or remediate findings; it provides detection and contextual remediation guidance. It cannot detect business logic vulnerabilities or blind SSRF requiring out-of-band infrastructure, and it does not replace a human pentester for high-stakes audits. Pricing tiers range from Free with limited scans to Enterprise with unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.