42Crunch for Fintech

Financial APIs move sensitive data and high-value transactions; their exposure directly impacts risk, regulatory alignment, and customer trust. The scanner evaluates authentication mechanisms, authorization boundaries, and data exposure specific to payment flows and account management. Findings map to PCI-DSS 4.0 controls and align with security requirements common in fintech environments handling card data and personally identifiable information.

The scanner performs black-box assessments using read-only methods, including GET and HEAD requests, with text-only POST for LLM probes. It operates without agents or SDKs and completes scans in under a minute. Detection categories include authentication bypass, broken object level authorization, privilege escalation, property over-exposure, input validation issues, rate limiting anomalies, data exposure patterns such as PII and API keys, encryption misconfigurations, SSRF indicators, inventory and versioning gaps, unsafe consumption surfaces, and LLM security probes across tiered intensities.

• Authentication — multi-method bypass, JWT misconfigurations including alg=none and HS256, expired or missing claims, and sensitive data in token payloads.
• BOLA / IDOR — sequential ID enumeration and active adjacent-ID probing.
• BFLA / Privilege Escalation — admin endpoint probing and role or permission field leakage.
• Data Exposure — PII patterns including email, Luhn-validated card numbers, context-aware SSN formats, and API key values such as AWS, Stripe, GitHub, and Slack.
• LLM Security — 18 adversarial probes across Quick, Standard, and Deep tiers, covering system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses, prompt injection variants, token smuggling, and tool abuse.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against observed runtime behavior to identify undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination controls. This helps teams detect discrepancies between documented contracts and actual behavior, supporting more accurate risk assessment and audit evidence collection.

Authenticated scans support Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce unintended data exposure. These controls help secure assessment workflows and reduce noise from external systems.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI enables on-demand scans via middlebrick scan <url> with JSON or text output. The GitHub Action enforces CI/CD gates by failing builds when scores drop below defined thresholds. The MCP Server allows integration with AI coding assistants, and the API client supports custom automation. Pro tier adds scheduled rescans, diff detection, email alerts, signed webhooks, and compliance reporting, while Enterprise tier supports unlimited APIs, custom rules, SSO, audit logs, SLA-backed support, and dedicated assistance.