42Crunch for Bug bounty triage assist

middleBrick is a self-service API security scanner designed for external assessment without requiring code access or agents. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scan completes in under a minute using only read-only methods such as GET and HEAD, with text-only POST support for LLM probes. This approach suits bug bounty triage when you need rapid surface assessment without engaging the target environment or triggering defensive controls.

The scanner evaluates 12 security categories aligned to OWASP API Top 10 (2023). It covers authentication bypass and JWT misconfigurations, BOLA and IDOR via sequential and adjacent ID probing, BFLA and privilege escalation through admin endpoint discovery, and property authorization issues such as over-exposure and mass-assignment. Additional categories include input validation with CORS wildcard detection, rate limiting and resource consumption signals, data exposure patterns including PII and API key leaks, encryption and HTTPS hygiene, SSRF indicators, inventory issues like missing versioning, unsafe consumption surfaces, and LLM / AI security probes across multiple tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes and deprecated operations. For authenticated scanning, the platform supports Bearer, API key, Basic auth, and Cookie methods after domain verification via DNS TXT or HTTP well-known file. Only a limited set of headers is forwarded, and scans remain read-only, avoiding intrusive payloads.

Results are surfaced through a web dashboard with trend tracking and downloadable compliance PDFs, enabling quick aggregation across programs. The CLI allows on-demand scanning via middlebrick scan <url>, producing JSON or text output for scripting. A GitHub Action can gate CI/CD based on score thresholds, while the MCP Server enables scanning from AI coding assistants. Continuous monitoring options provide scheduled rescans and diff detection to highlight new or resolved findings over time.

middleBrick does not fix, patch, or block issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they demand domain-specific understanding. Blind SSRF is out of scope due to the lack of out-of-band infrastructure, and the tool does not replace a human pentester for high-stakes audits.

The platform maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), using direct language such as maps findings to and validates controls from. For other frameworks, it helps you prepare for and supports audit evidence without asserting certification or compliance. Scan data is deletable on demand, purged within 30 days of cancellation, and is neither sold nor used for model training.