42Crunch for Ruby on Rails

42Crunch is a self-service API security scanner that accepts a target URL and returns a risk score from A to F along with prioritized findings. It operates as a black-box scanner, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud. Scan completion typically occurs under one minute using read-only methods such as GET and HEAD, with text-only POST reserved for LLM probes. The tool maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II, while aligning with security controls described in other standards through detection and evidence surfacing rather than certification.

When scanning Ruby on Rails based APIs, the tool evaluates how well runtime behavior aligns with the framework’s defaults and security middleware. Detection capabilities include authentication bypass attempts, JWT misconfigurations such as alg=none or HS256 without proper key validation, and security header compliance including WWW-Authenticate handling. It probes for BOLA and IDOR via sequential ID enumeration and active adjacent-ID checks, and assesses BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Input validation checks cover CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints. SSRF probes target URL-accepting parameters and body fields, including active attempts to identify internal IP bypasses, while inventory checks flag missing versioning and legacy path patterns common in Rails routing.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime observations. This comparison highlights undefined security schemes, sensitive fields exposed by the API, deprecated operations, and missing pagination that may contribute to data exposure. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate is enforced, where only the domain owner can scan with credentials by presenting a DNS TXT record or an HTTP well-known file. The scanner forwards a restricted allowlist of headers, specifically Authorization, X-API-Key, Cookie, and X-Custom-*, to minimize credential exposure.

Pro tier enables scheduled rescans at intervals of 6 hours, daily, weekly, or monthly, with diff detection to surface new findings, resolved findings, and score drift over time. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks are delivered with auto-disable after five consecutive failures. The tool integrates into existing workflows via a web dashboard for report viewing and trend tracking, a CLI available as an npm package with JSON or text output, a GitHub Action that can fail CI/CD builds when scores fall below a set threshold, and an MCP server for use with AI coding assistants. An API client allows custom integrations, and compliance evidence can be downloaded as branded PDFs for audit purposes.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection tests, as those require intrusive payloads outside the scope. Business logic vulnerabilities are not detected, as they demand domain context best handled by human experts, and blind SSRF is out of scope due to the absence of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking of destructive payloads, and filtering of private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer data is deletable on demand, purged within 30 days of cancellation, and is neither sold nor used for model training.