42Crunch for Fiber

middleBrick is a self-service API security scanner that assesses Fiber endpoints without requiring code changes or SDKs. You submit a URL, and the service returns a risk score from A to F along with prioritized findings. The scan uses only read-safe methods (GET and HEAD) and text-only POST for LLM probes, completing in under a minute.

For Fiber routes, the scanner treats the endpoint surface as opaque inputs and outputs. It does not inspect Go code or middleware internals, so it maps observable behaviors such as path parameter handling, header reflection, and response status variations. This approach works regardless of the language or framework used to build the service.

middleBrick maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). These mappings are explicit and limited to the listed frameworks. Findings include deviations such as missing security headers, unsafe HTTP methods, and CORS wildcard configurations that affect authentication and authorization controls.

Additional sets of findings help you prepare for audits aligned with security controls described in HIPAA, GDPR, ISO 27001, NIST, and other regulations. The scanner surfaces findings relevant to these frameworks but does not certify compliance or guarantee adherence to any regulatory requirements.

The scanner checks authentication bypass techniques and JWT misconfigurations, including alg=none, weak algorithms, expired tokens, and missing claims. For Fiber services that use Bearer, API key, Basic auth, or cookies, authenticated scanning validates domain ownership through DNS TXT records or HTTP well-known files before testing credentialed endpoints.

Data exposure checks include PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and API key values (AWS, Stripe, GitHub, Slack). The scanner also evaluates encryption posture by detecting HTTPS redirects, HSTS presence, and cookie flags, while blocking destructive payloads and sensitive internal endpoints at multiple layers.

middleBrick does not fix, patch, block, or remediate findings; it reports issues with guidance on how to address them. The scanner does not perform active SQL injection or command injection tests, as those require intrusive payloads outside its scope. It also does not detect business logic vulnerabilities, blind SSRF via out-of-band channels, or subtle authorization flaws that depend on domain-specific behavior.

Because the tool is not a human-led audit, it cannot replace a professional pentester for high-stakes assessments. Scanning results should be combined with manual review and secure development practices to address complex authorization rules and data handling logic in Fiber applications.

For ongoing validation, middleBrick offers multiple integration paths. The CLI allows on-demand scans using middlebrick scan <url>, with JSON or text output suitable for scripts. A GitHub Action can enforce quality gates in CI/CD, failing builds when the score drops below a defined threshold.

Pro tier adds scheduled rescans, diff detection across runs, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. The MCP Server enables scanning from AI coding assistants such as Claude and Cursor, while the web dashboard centralizes reports, score trends, and downloadable compliance PDFs.