42Crunch for Phoenix

middleBrick scans align findings with the OWASP API Top 10 (2023) to help you contextualize risk. The scanner categorizes issues across authentication, authorization, input validation, and data exposure, assigning each finding a grade from A to F with prioritized remediation guidance.

Black-box testing examines runtime behavior without code access, ensuring coverage of authentication bypass, JWT misconfigurations such as alg=none, and security header misalignment. This approach surfaces issues relevant to the framework without requiring intrusive testing.

OpenAPI spec parsing compares declared definitions against observed behavior, highlighting undefined security schemes and deprecated operations. The scanner tracks deviations like missing pagination or unexpected parameter exposure that may increase the attack surface.

For LLM-facing endpoints, dedicated adversarial probes evaluate prompt extraction, instruction override, and token smuggling across multiple depth tiers. This helps you understand how model-integrated APIs may respond to manipulation attempts.

Reports include concrete evidence such as response headers, status codes, and matched patterns, enabling engineers to trace each flagged item back to the specific API interaction that triggered it.

The scanner evaluates authentication resilience across multiple methods, including Bearer tokens, API keys, Basic auth, and cookie-based flows. It checks for JWT misconfigurations such as missing claims, expired timestamps, and weak algorithms, which are common when security defaults are not explicitly enforced.

BOLA and IDOR checks probe sequential and adjacent identifier patterns, detecting endpoints that leak internal keys or accept tampered path parameters. In Phoenix applications, where routing often maps directly to resource IDs, these checks reveal whether authorization checks are consistently applied.

BFLA and privilege escalation probes target admin routes and role/permission fields, looking for endpoints that expose administrative functionality without adequate access control. This is relevant when Phoenix pipelines do not uniformly enforce authorization plugs.

Property authorization scanning identifies over-exposed fields and mass-assignment surfaces, including internal columns that should remain hidden. The scanner flags responses that return sensitive data structures not intended for broader consumption.

Authenticated scanning requires domain verification via DNS TXT or well-known files, ensuring that only domain owners can submit credentials. Header allowlists restrict forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* to limit exposure during assessment.

Input validation checks include CORS wildcard detection with and without credentials, dangerous HTTP methods, and debug endpoint exposure. These help identify configurations that may weaken boundary defenses in a Phoenix API.

Rate limiting and resource consumption probes inspect response headers, oversized payloads, and unpaginated arrays that could lead to denial of service or excessive compute usage. This supports capacity planning and defensive design.

Data exposure detection covers PII patterns such as email addresses, Luhn-validated card numbers, and context-aware SSN formats. The scanner also identifies API key leaks for AWS, Stripe, GitHub, and Slack, along with stack trace and error message leakage that may aid further reconnaissance.

Encryption checks validate HTTPS redirects, HSTS presence, and secure cookie flags, ensuring transport protections are consistently applied. Mixed content issues are flagged when secure pages load insecure resources.

SSRF probes target URL-accepting parameters and body fields, checking for internal IP detection and common bypass patterns. These checks are designed to surface configuration risks without performing intrusive network tests.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. This allows the scanner to cross-reference declared security schemes with observed runtime behavior, highlighting mismatches such as undefined schemes or missing required scopes.

Spec-driven checks compare documented endpoints against actual responses, identifying undefined operations, deprecated paths, and missing pagination controls. This is valuable for teams maintaining large APIs where documentation can drift from implementation.

When authentication is provided, the scanner validates domain ownership through DNS or file-based verification before testing protected routes. This ensures that assessments remain scoped to authorized targets.

Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers, reducing the risk of accidental credential propagation through intermediary systems.

The output includes structured details such as confidence levels, affected endpoints, and remediation steps, enabling precise triage within existing development workflows.

The scanner is delivered as a self-service tool with no agents, SDKs, or code access required. It works across any language, framework, or cloud environment, making it suitable for heterogeneous Phoenix deployments.

Scan duration is under one minute for most assessments, using read-only methods such as GET and HEAD, plus text-only POST for LLM probes. No destructive payloads are ever sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers.

The CLI supports on-demand assessments with JSON or text output, integrating easily into scripts or local workflows. The npm package is distributed separately, keeping operational dependencies explicit.

Pro tier features include scheduled rescans every six hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved items, and score drift over time.

Enterprise tiers add custom rules, SSO, audit logs, and SLA-backed support. Customer data is deletable on demand and purged within 30 days of cancellation. It is never sold or used for model training.