42Crunch for FeathersJS

What middleBrick covers

Black-box API scanning with OWASP API Top 10 coverage
Authentication testing for JWT, Bearer, and API key schemes
CORS and input validation checks for FeathersJS services
OpenAPI schema cross-reference and runtime validation
Authenticated scans with header allowlist controls
CI/CD integration via CLI and GitHub Action

FeathersJS defaults and how scanner coverage differs

FeathersJS favors REST and Socket.io with minimal defaults. The framework does not enforce authentication or authorization layers; it relies on explicit middleware. middleBrick maps findings to OWASP API Top 10 and provides coverage relevant to these FeathersJS-specific traits by testing endpoints as they are mounted, including REST routes and socket channels where supported.

Authentication and authorization testing

FeathersJS commonly uses local or JWT authentication with hooks for role-based access control. middleBrick checks for authentication bypass, JWT misconfigurations such as alg=none, expired tokens, missing claims, and sensitive data in claims. The scanner validates controls described in OWASP API Top 10 and maps findings to PCI-DSS 4.0 and SOC 2 Type II where applicable. For BOLA and BFLA, it probes sequential IDs and admin endpoints to identify authorization gaps.

Input validation, CORS, and schema exposure

FeathersJS services are defined by schemas. middleBrick analyzes input validation by testing CORS wildcard configurations with and without credentials, dangerous HTTP methods, and debug endpoints. It cross-references OpenAPI or Swagger definitions against runtime behavior to detect undefined security schemes and deprecated operations. These checks support audit evidence for controls and help you prepare for assessments aligned with security frameworks.

Authenticated scan requirements for FeathersJS services

When a FeathersJS service requires authentication, middleBrick supports Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced via DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. Only a limited set of headers is forwarded to avoid leaking secrets, and the scanner remains read-only without triggering destructive payloads.

Limitations and complementary testing practices

middleBrick does not fix, patch, or block findings; it reports with remediation guidance. It does not perform active SQL injection or command injection testing, nor does it detect business logic vulnerabilities that require domain knowledge. For high-stakes audits, use this scanner to surface findings relevant to your API surface and complement it with human-led reviews and targeted penetration tests.

Frequently Asked Questions

Can middleBrick authenticate against a FeathersJS service using JWT?

Yes. You can provide a valid JWT as a Bearer token for authenticated scans. The scanner validates token handling, including expiration and malformed claims.

Does the scanner understand FeathersJS service hooks and schemas?

It analyzes runtime behavior against declared schemas and does not parse framework internals. Schema-aware checks focus on exposed fields, pagination, and undefined security schemes.

Will scanning disrupt a production FeathersJS service?

No. The scanner uses read-only methods only and never sends destructive payloads. Private IPs and localhost are blocked at multiple layers.

How are findings mapped to compliance frameworks?

Findings map directly to OWASP API Top 10 and support audit evidence for PCI-DSS 4.0 and SOC 2 Type II. Other regulations are addressed through alignment language, not certification claims.

Can I integrate middleBrick into my CI pipeline for a FeathersJS project?

Yes. Use the CLI or GitHub Action to gate builds based on score thresholds. The CLI outputs JSON for scripting, and the action fails the build when the score drops below your configured limit.