42Crunch for DevSecOps-owned API security

This tool is a self-service API security scanner designed to fit into DevSecOps-owned workflows. Submit a URL and receive a risk score from A to F along with prioritized findings. It performs black-box scanning only, requiring no agents, no code access, and no SDK integration. The scanner supports any language, framework, or cloud target and completes most scans in under a minute. It uses read-only methods (GET and HEAD) and text-only POST for LLM probes, avoiding destructive testing by design.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023). It detects authentication bypasses, JWT misconfigurations such as alg=none and expired tokens, and security header issues. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA via admin endpoint probing and role leakage. Additional checks include property over-exposure, input validation issues such as dangerous HTTP methods, CORS wildcard misconfigurations, rate-limit header detection, and sensitive data exposure including PII patterns, API key formats, and error leakage. Encryption checks verify HTTPS redirects, HSTS, and cookie flags. The tool also probes for SSRF indicators and inventory issues such as missing versioning. LLM security coverage includes 18 adversarial probes across Quick, Standard, and Deep scan tiers. Findings map directly to OWASP API Top 10 (2023) and support controls described in PCI-DSS 4.0 and SOC 2 Type II.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime behavior. This highlights undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard centralizes scans, reports, and score trend tracking, and allows downloading branded compliance PDFs. The CLI npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action provides CI/CD gating, failing the build when the score drops below a chosen threshold. An MCP Server enables scanning from AI coding assistants such as Claude and Cursor. For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Enterprise tiers add unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.

The tool does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not execute active SQL injection or command injection tests, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they demand domain-specific human analysis. Blind SSRF is out of scope due to the absence of out-of-band infrastructure, and the scanner is not a replacement for a human pentester in high-stakes audits. Users should treat it as one component in a layered security strategy.