42Crunch for Partner APIs

middleBrick is a self-service API security scanner designed for external and partner-facing endpoints. You submit a URL and receive a risk score from A to F along with prioritized findings within under a minute. The scan is black-box: it requires no agents, no code access, and no SDK integration, and it works with any language, framework, or cloud environment. It uses read-only methods such as GET and HEAD, with text-only POST for LLM probes, ensuring no destructive operations are performed against your services.

The scanner evaluates 12 security categories aligned to OWASP API Top 10 (2023). It maps findings to this standard to validate controls relevant to common API risks. Detection coverage includes:

• Authentication bypass, JWT misconfigurations such as alg=none or expired tokens, and security header compliance.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing and role/permission leakage.
• Property authorization issues like over-exposure and mass-assignment surface.
• Input validation checks for CORS wildcard usage, dangerous HTTP methods, and debug endpoints.
• Rate limiting and resource consumption signals including rate-limit headers and oversized responses.
• Data exposure patterns such as emails, Luhn-validated card numbers, SSN-like context, and API key formats.
• Encryption misconfigurations including HTTPS redirects, HSTS, and cookie flags.
• SSRF indicators involving URL-accepting parameters and internal IP probing.
• Inventory management issues like missing versioning and legacy paths.
• Unsafe consumption surfaces, including excessive third-party URLs and webhook endpoints.
• LLM and AI security probes spanning multiple tiers to test system prompt extraction, jailbreak techniques, and token smuggling.

For OpenAPI specifications, the parser supports OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. A domain verification gate, such as a DNS TXT record or an HTTP well-known file, ensures that only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The safety posture is built around read-only operations. Destructive payloads are never sent, and infrastructure blocks private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation. It is not used for model training or sold to third parties.

The platform provides several interfaces for consuming scan capabilities:

• Web Dashboard for scanning, viewing reports, tracking score trends, and downloading branded compliance PDFs.
• CLI via the middlebrick npm package using the command middlebrick scan <url> with JSON or text output.
• GitHub Action to act as a CI/CD gate that fails the build when the score drops below a defined threshold.
• MCP Server for integration with AI coding assistants such as Claude and Cursor.
• API client for programmatic access to enable custom integrations.

Continuous monitoring in the Pro tier supports scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to highlight new findings, resolved findings, and score drift. Alerts are rate-limited to one per hour per API and can be delivered by email, Slack, or Teams. HMAC-SHA256 signed webhooks are included with auto-disable after 5 consecutive failures.

middleBrick is a scanning tool and does not fix, patch, block, or remediate issues. It provides prioritized findings and remediation guidance but does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace human pentesters for high-stakes audits.

For compliance, findings can help you prepare for controls described in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The tool surfaces findings relevant to audit evidence for other frameworks and supports alignment with security controls, but it is not an auditor and cannot certify compliance.