42Crunch for LLM agent tool exposure audit

LLM agent tool exposure arises when agents invoke tools over HTTP, exposing endpoints that can be probed for information disclosure, authorization flaws, and unsafe consumption patterns. MiddleBrick is a black-box API security scanner designed for this surface: it submits a URL and returns a risk score with prioritized findings. The scanner operates without code access or SDKs, supports any language or framework, and completes in under a minute using read-only methods plus text-only POST for LLM probes.

It maps findings to OWASP API Top 10 (2023), covering common vectors relevant to agent tools such as unsafe webhook callbacks, excessive third-party URLs, and authorization leaks. Because the scan is read-only, destructive payloads are never sent, and private endpoints, localhost, and cloud metadata addresses are blocked at multiple layers.

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023), including several that map directly to risks from LLM agent tool usage:

• Authentication — multi-method bypass and JWT misconfigurations such as alg=none, HS256, expired claims, or sensitive data in claims.
• SSRF — detection of URL-accepting parameters and body fields, internal IP patterns, and active IP-bypass probes.
• Input Validation — CORS wildcard (with and without credentials), dangerous HTTP methods, and debug endpoints.
• Data Exposure — PII patterns including email, Luhn-validated card numbers, context-aware SSN, and API key formats for AWS, Stripe, GitHub, and Slack.
• Unsafe Consumption — excessive third-party URLs and webhook/callback surface.
• LLM / AI Security — 18 adversarial probes across Quick, Standard, and Deep tiers, targeting system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, PII extraction, and related techniques.

MiddleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie, gated by a domain verification mechanism (DNS TXT record or HTTP well-known file) to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved findings, and score drift. Alerts are rate-limited to one per hour per API and delivered via email; HMAC-SHA256 signed webhooks are supported with auto-disable after 5 consecutive failures. Integration options include a web dashboard for trend tracking and branded compliance PDFs, a CLI via the middlebrick npm package with JSON or text output, a GitHub Action for CI/CD gating that fails builds below a score threshold, and an MCP Server for use with AI coding assistants.

MiddleBrick does not fix, patch, block, or remediate; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, as those require intrusive payloads outside scope. The scanner does not detect business logic vulnerabilities, blind SSRF (out-of-band infrastructure is not in scope), or comprehensively replace a human pentester for high-stakes audits. Findings should be interpreted within the context of your architecture and threat model.

MiddleBrick maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the scanner helps you prepare for and aligns with security controls described in relevant standards, supporting audit evidence without asserting certification or compliance. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and is not used for model training.