42Crunch for API marketplace listing prep

This tool is a self-service API security scanner designed to surface risks before an API enters production or a marketplace listing is finalized. Submit a URL to receive a risk score from A to F with prioritized findings. The scanner operates as a black-box solution, requiring no agents, no code access, and no SDK integration. It supports any language, framework, or cloud target and completes most scans in under a minute using read-only methods (GET and HEAD) and text-only POST for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023) by design. Detection areas include authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, property authorization and over-exposure, input validation issues such as CORS misconfigurations and dangerous methods, rate limiting and resource consumption, data exposure including PII and API key leakage, encryption and transport security, SSRF indicators, inventory management concerns, unsafe consumption surfaces, and LLM / AI security across Quick, Standard, and Deep scan tiers.

OpenAPI analysis is included for specifications in OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes and deprecated operations.

Authenticated scanning is available in the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification via DNS TXT record or an HTTP well-known file ensures only the domain owner can scan with credentials. The scanner enforces a strict header allowlist, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. All scanning is read-only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

The Web Dashboard centralizes scans, reports, score trends, and downloadable branded compliance PDFs. The CLI, published as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing the build when the score drops below a chosen threshold. An MCP Server allows scans from AI coding assistants such as Claude and Cursor. The API client supports custom integrations for programmatic access.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans, highlighting new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can disable automatically after 5 consecutive failures. Enterprise tier offers unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

The scanner does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. These gaps require complementary processes and expert review.

For other frameworks, the tool helps you prepare for and aligns with security controls described in regulations. It surfaces findings relevant to audit evidence and supports due diligence, but it is not an auditor and cannot certify compliance. Do not interpret its output as a guarantee for any regulatory outcome.