42Crunch for Gaming

Gaming platforms expose multiple public APIs for player data, leaderboards, purchases, and matchmaking. These surfaces require continuous verification of authentication controls and data exposure risks. middleBrick maps findings to OWASP API Top 10 (2023) and supports audit evidence for PCI-DSS 4.0 and SOC 2 Type II by surfacing misconfigurations relevant to those frameworks.

Because gaming backends often include third-party services and serverless functions, intrusive scanning is impractical. middleBrick is a black-box scanner that requires no agents, SDKs, or code access. It uses read-only methods (GET and HEAD) plus text-only POST for LLM probes, completing most scans in under a minute. This approach minimizes impact on live game services while validating external-facing endpoints.

Gaming APIs frequently leak internal identifiers, over-expose player data, and mishandle authentication tokens. The scanner detects BOLA / IDOR via sequential ID enumeration and active adjacent-ID probing, BFLA / privilege escalation through admin endpoint probing, and data exposure risks such as PII patterns, API key formats (AWS, Stripe, GitHub, Slack), and error/stack-trace leakage. It also checks input validation issues like CORS wildcard usage, dangerous HTTP methods, debug endpoints, and SSRF indicators involving URL-accepting parameters and internal IP probing. Inventory management checks identify missing versioning, legacy path patterns, and server fingerprinting, while LLM / AI Security testing includes 18 adversarial probes across Quick, Standard, and Deep tiers to assess system prompt extraction, instruction override, jailbreak attempts, token smuggling, and other AI-specific risks.

For endpoints that require authentication, middleBrick supports Bearer tokens, API keys, Basic auth, and cookies. Authenticated scanning requires domain verification through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner only forwards a limited header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers. All operations are read-only, with destructive payloads never sent, and private IPs, localhost, and cloud metadata endpoints blocked at multiple layers to prevent unsafe probing.

Results are presented in a web dashboard with prioritized findings and risk scores from A to F, enabling teams to track score trends and download branded compliance PDFs. The CLI supports middlebrick scan <url> with JSON or text output, and the GitHub Action can fail CI/CD builds when scores drop below a configured threshold. The MCP Server allows scans from AI coding assistants, and the Pro tier adds scheduled rescans, diff detection across scans, email alerts rate-limited to one per hour per API, HMAC-SHA256 signed webhooks, and integration options for Slack or Teams. All scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.