42Crunch for Hanami

Hanami encourages explicit routing and modular controllers, which affects how API security checks map to endpoints. middleBrick scans the public surface of your API by sending only read-only requests, making it suitable for Hanami deployments that follow standard REST patterns. The scanner does not inspect your Ruby code or internal object model; instead, it validates observable behaviors such as response headers, authentication challenges, and error messages. This approach keeps scans safe for production-like environments while still surfacing issues relevant to API integrity.

Authentication issues are a primary focus, including multi-method bypass attempts and malformed token handling. The scanner tests JWT misconfigurations such as alg=none, weak HS256 verification, expired tokens, missing required claims, and the presence of sensitive data within claims. It also validates the presence and correctness of security headers and WWW-Authenticate compliance. For Hanami applications, this helps verify that your authentication middleware and route constraints are producing the intended protection boundaries. These checks map findings to relevant security controls defined in the OWASP API Top 10 (2023).

BOLA and IDOR testing involves sequential ID enumeration and active adjacent-ID probing to detect predictable object references. BFLA and privilege escalation checks probe admin endpoints and look for role or permission field leakage in responses. While these tests highlight weak access controls, they do not replace a domain-aware review of business rules in Hanami services. The scanner surfaces findings relevant to authorization enforcement, and you can use these results to guide manual code review and policy refinement. Findings align with security controls described in frameworks such as SOC 2 Type II and PCI-DSS 4.0.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 specifications with recursive $ref resolution, then cross-references the spec against runtime behavior. This process can identify undefined security schemes, sensitive fields exposed in documentation, deprecated operations, and missing pagination hints in Hanami-generated specs. For authenticated scans, Bearer, API key, Basic auth, and Cookie methods are supported, with domain verification required to ensure credentials are used only against authorized hosts. Header allowlisting restricts forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*, preserving safe probe boundaries.

The scanner includes specific testing for LLM and AI-related risks, executing 18 adversarial probes across Quick, Standard, and Deep tiers. These probes cover system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration strategies, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction. This helps you understand how your API might be abused when used as part of an AI workflow. Results provide remediation guidance rather than attempting automated fixes.