42Crunch for Laravel

middleBrick is a self-service API security scanner that operates as a black-box solution against Laravel applications. You submit a URL that points to your Laravel API endpoint, and within under a minute you receive a risk score from A to F along with prioritized findings. The scanner uses only read-only methods such as GET and HEAD, and text-only POST for LLM probes, requiring no agents, SDKs, or code access. This approach works regardless of the underlying language, framework, or cloud hosting, making it applicable to Laravel APIs deployed in diverse environments.

For Laravel APIs, middleBrick maps findings to OWASP API Top 10 (2023), helping you prepare for security controls relevant to PCI-DSS 4.0 and SOC 2 Type II. The tool detects issues common in Laravel such as authentication bypasses, JWT misconfigurations, and security header misalignment. It also surfaces findings relevant to audit evidence for input validation flaws, rate limiting misconfigurations, and data exposure risks like PII or API key leakage. While it is a scanning tool and not an auditor, it identifies areas that commonly require manual review during compliance assessments.

middleBrick tests authentication mechanisms frequently used in Laravel, including Bearer tokens, API keys, Basic auth, and cookie-based sessions. Scans below the Starter tier are limited to public endpoints; authenticated scanning requires domain verification to ensure only the domain owner can submit credentials. When credentials are provided, the scanner validates configurations such as token handling and role/permission fields, which can reveal BFLA or privilege escalation issues. Header forwarding is restricted to Authorization, X-API-Key, Cookie, and X-Custom-* headers, avoiding unnecessary exposure of internal headers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions for Laravel projects, resolving recursive $ref references to understand the declared API surface. It cross-references the spec against runtime behavior, highlighting undefined security schemes, deprecated operations, missing pagination, and sensitive fields that are over-exposed. For Laravel APIs, this comparison helps identify mismatches between documented routes and actual endpoints, as well as overlooked security schemes that could lead to unauthorized access. Note that the tool detects these inconsistencies and does not correct them.

middleBrick does not fix, patch, or block issues, nor does it perform active SQL injection or command injection testing, which fall outside its scope. Business logic vulnerabilities specific to Laravel workflows require human expertise and contextual understanding of your application. Blind SSRF and certain infrastructure-level issues are also out of scope. The scanner provides remediation guidance but should be paired with manual review or professional assessments for high-stakes audits, especially when dealing with sensitive data or complex authorization flows.