42Crunch for Echo

middleBrick is a black-box scanner and does not require code access or SDKs, so it works against Echo services regardless of the language implementation. You submit the public endpoint URL and receive a risk score with prioritized findings within a minute. The scanner respects Echo defaults and your auth middleware by only issuing read-only methods, and it maps findings to OWASP API Top 10 (2023) to help you validate controls relevant to your API surface.

Echo applications often rely on JWTs, cookies, or custom headers for authentication. middleBrick checks for JWT misconfigurations such as alg=none, weak signing algorithms like HS256 without proper key management, expired tokens, missing claims, and sensitive data in claims. It also inspects security headers and WWW-Authenticate compliance to identify authentication bypass paths. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported, provided the domain owner completes a DNS TXT or HTTP well-known verification gate to confirm ownership.

The scanner covers requirements of PCI-DSS 4.0 and SOC 2 Type II by surfacing findings tied to access control, data exposure, and encryption. It maps findings to OWASP API Top 10 (2023) and helps you prepare for audit evidence related to controls such as input validation, rate limiting, and secure transport. Detection includes BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, BFLA and privilege escalation through admin endpoint probing, and sensitive data exposure including PII patterns and API key leakage. It also checks for insecure defaults like CORS wildcard rules, dangerous HTTP methods, and missing versioning patterns.

middleBrick includes an LLM security profile that runs 18 adversarial probes across three scan tiers: Quick, Standard, and Deep. These probes test for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses such as base64 and ROT13, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. This helps you surface findings relevant to AI-assisted attack surfaces without claiming to replace a human review.

middleBrick is a read-only scanner that never sends destructive payloads, and it blocks private IPs, localhost, and cloud metadata endpoints at multiple layers. You can integrate it via the CLI, GitHub Action, MCP Server, or API client, and use the Web Dashboard to track score trends and download compliance reports. The product does not fix, patch, block, or remediate issues, nor does it perform active SQL injection or command injection testing. Business logic vulnerabilities and blind SSRF require human expertise and are out of scope, and the tool does not replace a human pentester for high-stakes audits.