42Crunch for Koa

This scanner evaluates public-facing API surfaces using read-only methods and does not require code access or agents. It supports any framework or language, including Koa, because it interacts only with the runtime behavior of the endpoints.

Koa applications often rely on custom middleware for routing and authentication, which can affect scan coverage. The scanner sends read-only requests and follows responses to assess effective security controls. It checks whether security-sensitive headers set by Koa middleware, such as content security policies or HTTP strict transport security, are present and correctly configured. It also probes for common misconfigurations like wildcard CORS in Koa applications and validates that error responses avoid leaking stack traces that could expose internal implementation details.

Many Koa services use bearer tokens, API keys, cookies, or Basic auth, sometimes combined with custom middleware. The scanner tests authentication bypass techniques and JWT misconfigurations, such as none algorithm usage, weak HS256 keys, expired tokens, missing claims, or sensitive data inside claims. It checks whether authorization logic is consistently enforced across routes, which is especially important when authorization decisions are implemented in Koa middleware rather than being enforced at the framework or network layer.

The scanner maps findings to OWASP API Top 10 (2023), SOC 2 Type II, and PCI-DSS 4.0. These mappings help you prepare audit evidence and align with security controls described in those frameworks. For other regulations, the tool surfaces findings relevant to audits and supports evidence collection without claiming certified or guaranteed compliance.

When authenticated scanning is enabled, the scanner supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification is required, which can be done via a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, to avoid exposing unrelated session data.

• Does this scanner test business logic in Koa apps?
• Answer: It does not detect business logic vulnerabilities, as those require domain context that only your team can validate.
• Can authenticated scans be run against Koa services with OAuth or custom schemes?
• Answer: Only Bearer, API key, Basic auth, and cookies are supported; other schemes require manual validation.
• Does the scanner perform intrusive payloads against Koa endpoints?
• Answer: No, it uses read-only methods and does not run active SQL injection or command injection tests.
• How is scan data handled for Koa-related assessments?
• Answer: Data is deletable on demand, purged within 30 days of cancellation, and never sold or used for model training.