42Crunch for Actix Web

Actix Web is a high-performance Rust framework that encourages explicit route definitions and middleware composition. This structure exposes authentication and authorization boundaries that are well suited for black-box assessment. middleBrick scans public endpoints without requiring code access or build artifacts, making it practical for Rust-based services where instrumentation is undesirable.

The scanner treats Actix Web as an opaque API surface, focusing on HTTP semantics rather than framework internals. It follows links and forms, tests parameter handling, and validates security headers independent of the underlying server implementation. For OpenAPI-defined Actix services, the parser resolves recursive $ref elements and cross-checks declared security schemes against observed runtime behavior, highlighting undefined security schemes and deprecated operations.

• Public endpoints are probed using read-only methods (GET and HEAD).
• Where authentication is required, authenticated scanning with Bearer, API key, Basic auth, or Cookie credentials can be used after domain verification.
• Only a controlled allowlist of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-*.

The scanner maps findings to OWASP API Top 10 (2023) and checks configurations relevant to common Actix Web patterns. Detection examples relevant to Actix Web include incorrect CORS wildcard usage with credentials, verbose error messages that reveal internal paths, and exposed debug or health endpoints that should be restricted. The scanner also inspects authorization headers and JWT configurations, including alg=none risks and token expiration, which are relevant when Rust middleware validates tokens manually.

• Authentication bypass and JWT misconfigurations.
• BOLA and IDOR via sequential ID patterns.
• Input validation issues such as dangerous HTTP methods and debug endpoints.
• Data exposure through error and stack trace leakage.
• SSRF risks around URL-accepting parameters and body fields.

To initiate a scan, provide the base URL of the Actix Web service using the CLI or dashboard. The scan completes in under a minute for most surfaces and returns a letter-grade risk score with prioritized findings. The GitHub Action can enforce quality gates by failing the build when the score drops below a defined threshold. For ongoing assurance, Pro tier scheduling supports hourly, daily, weekly, or monthly rescans, with diff detection that highlights new findings, resolved items, and score drift. Alerts are rate-limited to one email per hour per API.

middlebrick scan https://api.example.com

middleBrick is a scanning tool and does not fix, patch, or block findings. It does not perform active SQL injection or command injection testing, nor does it detect business logic vulnerabilities that require domain understanding. Blind SSRF and out-of-band validation are not covered. The tool helps you prepare for security reviews and aligns with security controls described in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), but it is not an auditor and cannot certify compliance.

• Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers.
• Customer scan data is deletable on demand and never used for model training.
• Enterprise tier supports custom rules, SSO, audit logs, and dedicated support.