42Crunch for Hapi

Hapi provides structured routing, schema-based validation, and a rich plugin ecosystem for building APIs. When integrating third-party services or consuming external data, the framework exposes endpoints that must be evaluated for common security weaknesses. This scanner examines runtime behavior to identify issues such as missing authentication on routes, unsafe exposure of internal fields, and improper error handling without requiring access to source code.

The scanner interacts with your Hapi API through the public interface only, using read-only HTTP methods to probe routes and inspect responses. It tests authentication schemes, parameter handling, and server responses to detect deviations from secure defaults. For applications using plugins for CORS, validation, or logging, findings are mapped to the corresponding runtime behavior rather than implementation specifics.

OpenAPI specifications describing Hapi routes can be analyzed to cross-check defined security schemes and operations against observed findings, highlighting inconsistencies such as undefined security requirements or deprecated paths.

Findings are grouped into categories aligned to the OWASP API Top 10 (2023), focusing on behaviors observable during black-box testing. Examples include authentication bypass attempts on login routes, IDOR indicators through predictable identifiers in Hapi resources, and over-exposure of data in JSON responses that violate the principle of least privilege.

The scanner also surfaces risky configurations such as wildcard CORS rules combined with credentials, dangerous HTTP methods left enabled, and verbose error messages that may aid reconnaissance. Each finding includes remediation guidance tailored to Hapi patterns, such as tightening route-level policies and validating authorization within plugin hooks.

Authenticated scanning is available to verify protections on routes that require tokens or cookies. The scanner validates that authorization headers are handled consistently and that sensitive endpoints are not exposed to unauthenticated access.

Domain verification ensures that only the domain owner can run authenticated scans. The scanner forwards a limited set of headers, including Authorization and custom identifiers, while excluding unrelated client metadata that does not contribute to security assessment.

This scanner does not perform active injection testing or simulate complex business logic attacks that require domain knowledge. It does not replace manual review of Hapi route trees, plugin interactions, or server-side caching strategies.

It does not detect blind SSRF or out-of-band data exfiltration paths. Security teams should complement scanning with code review, formal threat modeling, and targeted penetration tests for high-risk services.