42Crunch for LoopBack

middleBrick scans how LoopBack applications model authentication and authorization. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, then cross-references the spec against runtime behavior. The scanner checks whether security schemes such as oauth2 or apiKey are properly declared, whether operations reference undefined security requirements, and whether sensitive data appears in security parameter descriptions. Findings map to controls covered by OWASP API Top 10 and support audit evidence for SOC 2 Type II and PCI-DSS 4.0.

LoopBack resources often expose database identifiers directly in URLs. middleBrick detects patterns consistent with BOLA and IDOR by probing sequential and adjacent identifiers using read-only methods (GET and HEAD). It also checks for Property Authorization issues, such as internal fields returned in responses or mass-assignment surfaces, and validates whether authorization is enforced consistently across related resource paths. Error and stack-trace leakage is flagged as data exposure, aligned with OWASP API Top 10 categories and useful for SOC 2 Type II audit evidence.

The scanner reviews CORS configurations for wildcard origins, with and without credentials, which can undermine browser-based protections. Dangerous HTTP methods such as TRACE and OPTIONS are flagged when enabled, and debug endpoints are surfaced as potential information leaks. These findings align with security controls described in OWASP API Top 10 and help you prepare for PCI-DSS requirements related to input validation and transport hardening.

When you run a Standard or Deep scan, middleBrick executes 18 adversarial probes targeting LLM and AI security. These include system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration patterns, token smuggling, and nested instruction injection delivered through translation-embedded or few-shot poisoning techniques. The scanner reports these findings with remediation guidance and does not send destructive payloads.

To test authenticated endpoints in LoopBack, you can supply Bearer tokens, API keys, Basic auth, or cookies. Domain verification is enforced via DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-*. Note that business logic vulnerabilities and blind SSRF are out of scope; the scanner detects issues but does not fix, patch, block, or remediate.