42Crunch for Backend-for-Frontend (BFF)

A Backend-for-Frontend layer aggregates multiple downstream services and exposes a tailored API to the frontend. This consolidation expands the BFF attack surface and introduces risks that a scanner evaluates without requiring code access.

The scanner checks authentication bypass paths, JWT misconfigurations such as alg=none or missing claims, and security header compliance including WWW-Authenticate. It probes BOLA and IDOR via sequential ID patterns and active adjacent-ID checks, and it tests BFLA by probing admin endpoints and role/permission leakage.

Input validation is assessed through CORS wildcard detection (with and without credentials), dangerous HTTP methods, and debug endpoints. The scan covers sensitive data exposure such as email and credit card patterns, API key formats, error and stack-trace leakage, and encryption signals like HTTPS redirects, HSTS, and cookie flags.

For BFF-specific routing, the tool surfaces findings related to over-exposed properties, mass-assignment surfaces, and unauthorized method exposure, mapping findings to OWASP API Top 10 (2023) and PCI-DSS 4.0 where applicable.

SSRF risks are evaluated through URL-accepting parameters and body fields, with internal IP detection and active IP-bypass probes. The scanner also reviews versioning, legacy path patterns, and server fingerprinting as part of inventory management.

When LLM or AI features are exposed through BFF endpoints, the scanner runs adversarial probes across three tiers: Quick, Standard, and Deep. These probes target system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, and cost exploitation.

Techniques such as base64 and ROT13 encoding bypass, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, and PII extraction are included in the assessment scope.

Findings from LLM probes are reported with severity indicators and remediation guidance, aligned to OWASP API Top 10 (2023). The scanner does not perform model training or alter infrastructure; it only observes behavioral responses within read-only constraints.

This coverage helps you prepare for security reviews where AI features are integrated into the BFF, highlighting risks such as prompt injection and unintended data exposure through model interactions.

Because LLM behaviors can vary by provider and configuration, the scanner reports what it observes and supplements findings with contextual remediation steps rather than assuming a universal fix.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight mismatches.

Detected issues include undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination. These findings can be mapped to SOC 2 Type II controls and PCI-DSS 4.0 requirements as part of audit evidence collection.

By comparing the declared schema to actual responses, the tool surfaces unexpected data exposure and deviations from intended authorization boundaries. This supports reviews where specification drift contributes to risk in BFF implementations.

Authenticated scans validate that declared security schemes are enforced at runtime, ensuring that Bearer, API key, Basic auth, and Cookie-based mechanisms behave as documented.

Because OpenAPI analysis is static and runtime tests are read-only, the process avoids destructive testing while still revealing configuration and design gaps relevant to API security.

Authenticated scans are available from the Starter tier onward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is required: the scanner checks a DNS TXT record or an HTTP well-known file to confirm domain ownership before authenticated tests proceed.

Only a restricted set of headers is forwarded: Authorization, X-API-Key, Cookie, and X-Custom-* headers. This controlled header allowlist preserves security while enabling necessary context for evaluation.

Scan duration remains under a minute, and all access is read-only. No agents, SDKs, or code modifications are required, making this approach compatible with any language, framework, or cloud environment.

For regulated workflows, scan data can be deleted on demand and is purged within 30 days of cancellation. The tool does not replace a human pentester for high-stakes audits, and it does not perform intrusive injection tests.

The Web Dashboard centralizes scan results, score trends, and branded compliance PDFs. The CLI via the middlebrick npm package supports JSON and text output for automation, and the GitHub Action can gate CI/CD when scores fall below a threshold.

An MCP Server enables scanning from AI coding assistants such as Claude and Cursor. An API client allows custom integrations for organizations with existing workflows.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift, with email alerts rate-limited to one per hour per API.

HMAC-SHA256 signed webhooks are delivered with auto-disable after five consecutive failures. Enterprise tiers provide unlimited APIs, custom rules, SSO, audit logs, SLA-backed support, and dedicated assistance.