42Crunch for OAuth providers

middleBrick scans OAuth providers using black-box techniques that focus on the provider surface exposed to clients. The scanner evaluates authorization endpoints, token endpoints, and configuration endpoints without code access, supporting Bearer, API key, Basic auth, and Cookie authentication when domain verification is completed. Read-only operations are the default, and destructive payloads are never executed.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023) relevant to OAuth providers. Key coverage includes:

• Authentication bypass risks, including JWT misconfigurations such as alg=none, weak key usage, expired tokens, missing claims, and exposure of sensitive data in claims.
• Over-exposure of internal fields and mass-assignment surfaces in userinfo and token responses.
• Input validation gaps, including CORS wildcard usage with credentials and dangerous HTTP methods on provider endpoints.
• Rate-limiting header detection and oversized response handling that may indicate resource consumption risks.
• Data exposure patterns such as API key formats, PII leakage, and error or stack-trace disclosure that may aid attackers.
• SSRF indicators, including URL-accepting parameters in authorization callbacks and internal IP resolution attempts.

For OpenAPI-defined providers, the scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime observations to highlight undefined security schemes or deprecated operations.

Authenticated scanning is available in tiers Starter and above for endpoints that require credentials. Supported methods include Bearer tokens, API keys, Basic auth, and Cookies. Before scanning with credentials, the domain verification gate must pass through either a DNS TXT record check or an HTTP well-known file check to ensure only the domain owner can submit authenticated scans.

Header forwarding is restricted to Authorization, X-API-Key, Cookie, and X-Custom-* headers. This constraint limits the attack surface during assessment and ensures that scan traffic remains controlled and observable.

findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Reports include prioritized findings with risk scores from A to F, remediation guidance, and exportable compliance PDFs that can be used as audit evidence.

The dashboard supports trend tracking across scans, and the Pro tier adds scheduled rescans, diff detection for new and resolved findings, and score drift analysis. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can notify external systems with auto-disable after five consecutive failures.

The scanner includes LLM-specific probes that assess how OAuth-related endpoints respond to adversarial inputs. These checks are part of the LLM / AI Security category and cover system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration probes, cost exploitation, and encoding bypass techniques such as base64 and ROT13.

Testing tiers include Quick, Standard, and Deep, with methodical probing designed to surface prompt-injection risks and token-smuggling attempts that could affect authorization flows or token validation logic. No active exploitation or destructive actions are performed.