42Crunch for AdonisJS

middleBrick scans the public routes of an AdonisJS application and evaluates authentication coverage. The framework supports multiple guards (session, jwt, basic) and middleware stacks; the scanner checks whether routes intended to be protected are missing auth enforcement or expose endpoints to unauthenticated access.

Detection focuses on JWT misconfigurations such as alg=none, weak shared secrets (HS256 with low entropy), expired tokens, missing claims, and sensitive data placed in token payloads. The scanner also reviews security headers, WWW-Authenticate compliance, and cookie settings used by the AdonisJS session driver to identify weak transport configurations.

Because AdonisJS allows route-level middleware groups, the scanner cross-checks the OpenAPI contract against the runtime route list to highlight undefined security schemes and deprecated operations that may weaken authentication boundaries.

BOLA and BFLA risks are evaluated by probing endpoints that accept user-supplied identifiers and observing whether access controls are consistently enforced. The scanner looks for sequential ID enumeration through adjacent-ID probing and checks whether admin endpoints are reachable without appropriate privilege checks.

Property authorization is assessed by examining responses for over-exposure of internal fields, including sensitive status or role values, and by mapping the mass-assignment surface across POST and PUT bodies. Where AdonisJS resource controllers implicitly bind request payloads, the scanner flags fields that could be used to escalate permissions or modify protected attributes.

OpenAPI analysis highlights parameters and schemas that lack explicit security requirements, enabling the scanner to correlate spec definitions with runtime behavior and surface undefined security schemes that could lead to over-permissive authorization.

The scanner validates input handling by checking for dangerous HTTP methods, overly permissive CORS rules (including wildcard origins with and without credentials), and debug endpoints that may disclose internal state.

For AdonisJS projects that rely on route prefix versioning or legacy path patterns, inventory management findings highlight missing versioning and server fingerprinting that can aid reconnaissance. The scanner also inspects response payloads for error and stack-trace leakage that may reveal implementation details useful in further attacks.

Because AdonisJS provides a structured validation layer, the scanner reviews whether validation schemas consistently enforce type, format, and length constraints across all user-controlled inputs, reducing the risk of injection and injection-adjacent behaviors.

Data exposure checks search for PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and API key structures (AWS, Stripe, GitHub, Slack). Findings include insecure transmission risks, missing HSTS, and weak cookie flags that can undermine transport security.

Encryption-related checks verify HTTPS redirect chains, HSTS presence, and secure cookie attributes. SSRF probes target URL-accepting parameters and body fields, looking for references to internal IP ranges and cloud metadata endpoints, with network-level bypass attempts limited to read-only, non-destructive probes.

For AdonisJS applications that integrate third-party webhooks or external HTTP clients, the scanner assesses unsafe consumption surfaces, including excessive third-party URLs and callback endpoints that may be reachable to unverified callers.

The scanner includes an LLM security profile with 18 adversarial probes executed across three tiers (Quick, Standard, Deep). These probes test system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration strategies, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

When authenticated scanning is enabled using Bearer tokens, API keys, Basic auth, or cookies, the domain verification gate ensures that only the domain owner can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to reduce unintended side effects.

For ongoing risk management, the Pro tier provides scheduled rescans, diff detection across runs, email alerts limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures. The scanner does not fix, patch, block, or remediate; it reports findings with guidance to support manual review and controlled experiments.