42Crunch for Express

middleBrick maps findings to OWASP API Top 10 and aligns with security controls described in PCI-DSS 4.0 and SOC 2 Type II. The scanner analyzes runtime behavior of Express routes without requiring access to source code or build artifacts. Black-box probing reveals how default middleware stacks handle authentication, parameter parsing, and error serialization.

Express applications often rely on per-route handlers and global middleware, which can lead to inconsistent validation and authorization. The scanner tests for authentication bypass, IDOR via sequential ID patterns, and over-exposed object properties. It also checks for dangerous HTTP methods, CORS wildcard usage, and debug endpoints that may be left enabled in development builds.

For authenticated scans, the tool validates Bearer, API key, Basic auth, and Cookie handling in Express routes. It verifies that security headers are present and that WWW-Authenticate compliance is maintained. Improper JWT configurations such as alg=none, weak HS256 keys, expired tokens, missing claims, or sensitive data in payloads are surfaced as findings.

Express apps using role or permission fields in requests are tested for BFLA and privilege escalation by probing admin endpoints and inspecting response headers. Domain verification is enforced before authenticated scans, ensuring only the domain owner can submit credentials. Header allowlist is restricted to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner evaluates input validation practices common in Express routes, including CORS wildcard configurations with and without credentials, dangerous methods like PUT or DELETE when not intended, and exposed debug or health endpoints. These checks align with OWASP API Top 10 categories related to injection and unsafe consumption surfaces.

Server fingerprinting and missing versioning are detected, which helps identify legacy path patterns that increase attack surface. The tool also flags public exposure of internal field names and over-permissive property assignment that can lead to mass-assignment risks in JavaScript objects.

Data exposure findings include PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and API key structures resembling AWS, Stripe, GitHub, or Slack tokens. The scanner also detects error and stack-trace leakage that may aid further reconnaissance.

Transport security checks verify HTTPS redirects, HSTS headers, and secure cookie flags. Mixed content issues are highlighted where applicable. These findings help teams align with compliance evidence requirements without claiming certification.

The scanner includes LLM-specific testing with 18 adversarial probes across Quick, Standard, and Deep tiers. These probes target system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration strategies, cost exploitation, and token smuggling. Multi-turn manipulation, nested instruction injection, and indirect prompt injection are also evaluated.

Findings include base64 and ROT13 encoding bypass attempts, translation-embedded injection, few-shot poisoning, markdown injection, and tool-abuse scenarios. This surface is relevant for teams deploying LLM integration layers in or alongside Express services.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. The spec is cross-referenced against runtime results to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination definitions.

Integration options include the web dashboard for report viewing and trend tracking, the CLI via an npm package for scripted workflows, a GitHub Action for CI/CD gating, an MCP server for AI-assisted coding environments, and a programmable API for custom workflows. Continuous monitoring is available at higher tiers with scheduled rescans and diff detection.