42Crunch for Grape

middleBrick is a self-service API security scanner that operates as a black-box solution against Grape-based services. You submit a target URL and receive a risk score from A to F within under a minute, using only read-only methods such as GET and HEAD, plus text-only POST for LLM probes. The scanner does not require agents, SDKs, or access to your codebase, making it applicable to any language, framework, or cloud environment where Grape is deployed.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), and it maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 controls. Detection coverage includes authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, over-exposed properties, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate-limiting headers, sensitive data exposure including PII and API key formats, encryption misconfigurations, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across tiered scan intensities.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 specifications with recursive $ref resolution, then cross-references spec definitions against runtime behavior. This helps identify undefined security schemes, sensitive fields not reflected in the spec, deprecated operations, and missing pagination, offering findings that highlight deviations between declared contract and actual implementation for Grape services.

Authenticated scanning, available from Starter tier onward, supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety controls include blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and the scanner never sends destructive payloads.

Results are accessible via a Web Dashboard for review, trend tracking, and branded compliance PDF downloads. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD pipelines, failing builds when scores drop below a set threshold. An MCP Server allows scanning from AI coding assistants, and a programmable API supports custom integrations for automated workflows.