42Crunch for GraphQL gateway audit

GraphQL gateways introduce a consolidated endpoint and schema stitching, which changes how you validate security posture. Traditional network-level scanning is less effective because the gateway presents a single surface that may route to multiple subgraphs. Audits must verify schema design, query complexity, and gateway-level authorization rather than per-service checks. These audits also need to account for persisted queries, batching, and federated trace propagation without disrupting production traffic.

middleBrick is a black-box API security scanner that submits queries to a live GraphQL endpoint and analyzes responses. You submit the gateway URL and, within a minute, receive a risk score and prioritized findings mapped to OWASP API Top 10. The scanner parses OpenAPI specifications when available and cross-references the schema with observed runtime behavior to flag undefined operations, missing pagination, and overly permissive mutation surfaces. It does not modify data or execute destructive payloads, making it suitable for continuous verification alongside gateway testing.

The scanner exercises the gateway to detect issues common in federated and gateway architectures. It probes for introspection exposure in production and validates whether the gateway enforces query depth and cost limits to prevent resource exhaustion. Input validation checks include detecting CORS wildcard configurations and dangerous HTTP methods. Data exposure detection includes PII patterns and API key formats, while SSRF probes target URL-accepting arguments and body fields that may route to internal subgraphs. Findings are mapped to OWASP API Top 10 and support audit evidence for SOC 2 Type II and PCI-DSS 4.0.

With Starter tier or higher, you can configure authenticated scanning for GraphQL gateways using Bearer, API key, Basic auth, or cookies. Domain verification ensures only the domain owner can run authenticated scans. The scanner respects a header allowlist and forwards only approved headers to the gateway. OpenAPI 3.0, 3.1, and Swagger 2.0 documents are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to highlight undefined security schemes or deprecated operations. This helps teams validate that schema contracts align with implemented behavior.

middleBrick does not fix, patch, or block findings; it reports with remediation guidance. GraphQL business logic vulnerabilities, such as authorization mismatches between federation layers or complex resolver-level flaws, require domain knowledge and manual review. The scanner does not perform intrusive injection tests like SQL injection or command injection, nor does it detect blind SSRF that requires out-of-band callbacks. It does not replace a human pentester for high-stakes audits. For robust gateway security, combine automated scans with schema governance, query whitelisting, and runtime monitoring.