42Crunch for SPA backends

Single-page application backends expose REST and GraphQL endpoints that are directly reachable from browsers. These surfaces require continuous security validation because frontend code cannot protect backend logic. middleBrick is a self-service API security scanner that assesses such backends using black-box techniques, without requiring agents, SDKs, or code access.

middleBrick maps findings to three established frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The scanner also helps you prepare for security controls described in other regimes through alignment, such as supports for audit evidence relevant to ISO 27001 or privacy regulations. No claims of certification or guaranteed compliance are made.

The scanner covers 12 categories aligned to OWASP API Top 10. It detects authentication bypasses and JWT misconfigurations, including alg=none and sensitive data in claims. It identifies Broken Object Level Authorization (BOLA/IDOR) via sequential ID enumeration and active adjacent-ID probing. It flags Broken Function Level Authorization (BFLA), privilege escalation attempts, and property authorization issues such as over-exposure of internal fields. Input validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Rate limiting and resource consumption are assessed through header detection and oversized response analysis. Data exposure checks include PII patterns, valid credit card numbers, API key formats, and error or stack-trace leakage. Encryption findings cover HTTPS redirects, HSTS, cookie flags, and mixed content. SSRF probes target URL-accepting parameters and body fields, including active attempts to identify internal IPs. Inventory management findings highlight missing versioning and legacy path patterns. Unsafe consumption surfaces related to third-party URLs and webhook/callback endpoints are also reported. The LLM / AI Security category runs 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, injection techniques, token smuggling, and multi-turn manipulation.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. The parser cross-references spec definitions against runtime findings to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner forwards a strict header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard provides scan management, score trend tracking, and downloadable branded compliance PDFs. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a chosen threshold. The MCP Server enables scanning from AI coding assistants including Claude and Cursor. Continuous monitoring in the Pro tier includes scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, and rate-limited email alerts. Webhooks are HMAC-SHA256 signed and auto-disabled after 5 consecutive failures.

The scanner is read-only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is not sold and is not used for model training.

Limitations include no active exploitation capabilities such as SQL injection or command injection, no detection of business logic vulnerabilities, no blind SSRF detection due to lack of out-of-band infrastructure, and no replacement for a human pentester in high-stakes audits.