42Crunch for Sinatra

Sinatra encourages minimalism, which can leave default security surfaces exposed when endpoints, parameters, and headers are not explicitly constrained. The scanner evaluates your running service using read-only methods to map authentication requirements, parameter handling, error messages, and security headers without making changes.

Because Sinatra does not enforce a strict project structure, routes can be defined inline, reused across files, or mounted as engines, and the framework may rely on third-party middleware for authentication and rate control. This flexibility increases integration risk and can produce inconsistent security post across routes.

middleBrick maps findings to OWASP API Top 10 (2023) and supports audit evidence for SOC 2 Type II and PCI-DSS 4.0 when used as part of a broader control program. The tool does not perform active injection tests and does not replace a human assessment of business logic.

Sinatra applications often rely on before filters to enforce authentication, and missing or misconfigured filters can allow access to admin or sensitive routes. The scanner checks for authentication bypass methods, JWT misconfigurations such as alg=none or HS256 usage, expired tokens, missing claims, and sensitive data placed in token payloads.

It validates the presence and correctness of security headers and WWW-Authenticate compliance, and it probes for authorization issues like BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing. Privilege escalation tests include admin endpoint probing and checks for role or permission field leakage that can enable BFLA.

Authenticated scanning requires domain verification and supports Bearer, API key, Basic auth, and Cookie methods. Only a limited set of headers is forwarded, and credentials are used only for read-only exploration of protected routes.

Input validation issues are assessed through CORS wildcard checks (including credentials usage), dangerous HTTP methods, and debug endpoints that should not be present in production. The scanner also detects exposed PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and common API key formats for AWS, Stripe, GitHub, and Slack.

Server-side request forgery checks include URL-accepting parameters and body fields, detection of internal IP references, and active probes designed to identify IP-bypass attempts. Infrastructure misconfigurations such as missing HTTPS redirects, absent HSTS, and improper cookie flags are also surfaced alongside error and stack-trace leakage that can aid attackers.

OpenAPI definitions in 3.0, 3.1, and Swagger 2.0 formats are parsed with recursive $ref resolution, and spec findings are cross-referenced against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination controls.

The scanner includes an LLM / AI security module that executes 18 adversarial probes across three scan tiers labeled Quick, Standard, and Deep. These probes target system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration strategies, cost exploitation techniques, and encoding bypasses using base64 and ROT13.

Additional checks cover translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction attempts. Each tier increases probe depth to help identify how well model integrations resist manipulation.

These tests are read-only and do not modify models or data. Results are reported with remediation guidance to help developers tighten prompt lifecycle and access controls.

Continuous monitoring in Pro tier supports scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection that highlights new findings, resolved findings, and score drift. Alerts are rate-limited to one per hour per API and can be delivered by email, Slack, or Teams.

Integrations include a web dashboard for reports and score trends, a CLI via the middlebrick npm package, a GitHub Action that can fail builds on low scores, and an MCP server for use with coding assistants. An API client enables custom workflows and programmatic access to scan data.

middleBrick is a scanner and does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection tests, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits. Customer data is deletable on demand and is never used for model training.