42Crunch for Feature flag rollout security check

Feature flag rollouts expose new endpoints, toggles, and internal routes to varying levels of traffic and user permissions. This scanner operates as a black-box security assessment of the exposed surfaces, submitting read-only and text-only POST requests to detect configuration issues and information leakage relevant to a rollout. The process parses OpenAPI specifications when available and cross-references runtime behavior against defined operations, security schemes, and deprecated paths to surface inconsistencies without modifying system state.

The scanner checks multiple authentication methods including Bearer tokens, API keys, Basic auth, and cookie-based sessions to identify weak configurations and bypass opportunities. It validates JWT settings such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data present in claims, and confirms that security headers and WWW-Authenticate compliance are present. For authenticated scans, domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can submit credentials, and forwarded headers are limited to Authorization, X-API-Key, Cookie, and X-Custom-*.

Tests target Broken Level of Authorization (BOLA) and Insecure Direct Object References (IDOR) through sequential ID enumeration and adjacent ID probing to identify access across flag variations. Business Logic Flaw and Privilege Escalation (BFLA) checks probe admin endpoints and analyze role or permission field leakage that could allow users to escalate control over flag states. Property Authorization reviews detect over-exposure of internal fields and mass-assignment surfaces that could let a caller modify flag behavior, while Input Validation identifies dangerous HTTP methods, wildcard CORS with credentials, and debug endpoints that could interfere with rollout traffic.

Scans identify Data Exposure risks such as PII patterns including email addresses, Luhn-validated card numbers, context-aware Social Security Numbers, and API key formats for AWS, Stripe, GitHub, and Slack, as well as error and stack trace leakage. Encryption checks verify HTTPS redirects, HTTP Strict Transport Security (HSTS), cookie flags, and mixed content issues. The scanner enforces a read-only posture, blocks private IPs, localhost, and cloud metadata endpoints at multiple layers, and ensures customer data is deletable on demand within 30 days of cancellation without being used for model training.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, aligning spec definitions against runtime findings such as undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For LLM and AI-related risks, it runs 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.