42Crunch for CTOs

This tool is a self-service API security scanner that accepts a URL and returns a risk grade with prioritized findings. It operates as a black-box scanner, requiring no agents, SDKs, or access to source code. Scan duration is under one minute, using read-only HTTP methods and supporting text-only probes for large language model endpoints. The output is designed for engineering and security leadership who need a fast, repeatable signal without requiring deep protocol expertise.

The scanner evaluates 12 security categories mapped to the OWASP API Top 10 (2023). It also directly maps findings to PCI-DSS 4.0 and SOC 2 Type II controls, and supports audit evidence for these frameworks. Detection coverage includes:

• Authentication bypass, JWT misconfigurations such as alg=none and expired tokens, and security header compliance.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing and role/permission leakage.
• Property authorization issues including over-exposure and mass-assignment surface.
• Input validation checks for CORS wildcard usage and dangerous HTTP methods.
• Rate limiting detection using response headers and analysis of oversized or unpaginated responses.
• Data exposure patterns such as email addresses, Luhn-validated card numbers, SSN-like values, and API key formats for AWS, Stripe, GitHub, and Slack.
• Encryption posture including HTTPS redirects, HSTS, and cookie flags.
• SSRF indicators involving URL-accepting parameters and internal IP detection.
• Inventory risks like missing versioning and legacy path patterns.
• Unsafe consumption surface from excessive third-party URLs and webhook endpoints.
• LLM/AI security with adversarial probes covering prompt extraction, jailbreaks, data exfiltration, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref entries. It cross-references the spec against runtime behavior to surface undefined security schemes, deprecated operations, and missing pagination. For authenticated scans, support is provided for Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can submit credentials. The scanner limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

middlebrick scan https://api.example.com --auth-type bearer --token my_token

The platform provides multiple integration options for engineering workflows. The web dashboard centralizes scan results, enables score trend tracking, and allows export of branded compliance PDFs. The CLI, distributed as an npm package, supports JSON and text output for scripting and automation. A GitHub Action is available to gate CI/CD pipelines when scores fall below defined thresholds. An MCP server enables scanning from AI coding assistants, and a programmable API supports custom integrations. Continuous monitoring in higher tiers delivers scheduled rescans, diff detection, email alerts at rate-limited frequencies, and HMAC-SHA256 signed webhooks with fail-safes.

The scanner does not perform remediation, patch code, or block traffic. It does not execute active SQL injection or command injection tests, as those fall outside its read-only scope. Business logic vulnerabilities require domain expertise and are not detectable by automated scans. Blind SSRF and certain advanced infrastructure weaknesses are out of scope because they rely on out-of-band channels. The tool is not intended to replace human pentesters for high-stakes assessments. Safety controls block private IPs, localhost, and cloud metadata endpoints at multiple layers. Data retention is limited; customer scan data can be deleted on demand and is purged within 30 days of cancellation.