42Crunch for Axum

Securing Rust-based Axum services requires visibility into runtime behavior rather than assumptions from code or schema. middleBrick is a black-box scanner that evaluates live endpoints, regardless of the framework implementation language. It maps findings to OWASP API Top 10 (2023), supports audit evidence for SOC 2 Type II, and aligns with security controls described in PCI-DSS 4.0.

middleBrick performs read-only requests against public-facing URLs, using GET and HEAD methods by default and text-only POST for LLM probes. It does not require SDK integration or code changes, making it suitable for binaries built from Axum templates or custom routers. The scanner follows redirects, inspects headers, and validates authentication mechanisms without executing framework-specific logic.

OpenAPI documents (Swagger 2.0, OpenAPI 3.0, and 3.1) are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime responses. This helps identify undefined security schemes, deprecated operations, and missing pagination in Axum projects that expose specs for external tooling.

The scanner covers 12 categories aligned to OWASP API Top 10, focusing on issues commonly observed in Rust API services. Key checks include authentication bypass and JWT misconfigurations, broken object level authorization (BOLA/IDOR) via sequential ID probing, and over-exposed properties that leak internal struct fields.

• Authentication and security header validation, including WWW-Authenticate compliance.
• BOLA/IDOR through active adjacent-ID probing where numeric IDs are used.
• Property Authorization to detect mass-assignment surfaces and internal field leakage.
• Input Validation for CORS wildcard rules and dangerous HTTP methods.
• Rate Limiting detection via response headers and oversized responses.
• LLM / AI Security with 18 adversarial probes across Quick, Standard, and Deep tiers.

Authenticated scanning is available in Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and Cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials.

When scanning Axum services that rely on custom middleware, configure the scanner to forward only the allowed headers: Authorization, X-API-Key, Cookie, and X-Custom-*. This reduces noise and focuses evaluation on the security controls implemented in your middleware chain.

middleBrick detects and reports findings with remediation guidance, but it does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection testing, nor does it detect business logic vulnerabilities that require domain understanding.

The scanner blocks private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. Continuous monitoring is available in Pro tier with scheduled rescans, diff detection, and HMAC-SHA256 signed webhooks.