Alternatives to 42Crunch on AdonisJS

middleBrick is a self-service API security scanner designed for frameworks including AdonisJS. You submit a URL, and within under a minute you receive a risk score from A to F with prioritized findings. The scanner is black-box: it requires no agents, no code access, and no SDK integration. It supports any language, framework, or cloud, and it only uses read-only methods (GET and HEAD) plus text-only POST for LLM probes.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), which maps findings to this standard as well as PCI-DSS 4.0 and SOC 2 Type II. For other frameworks and regulations, middleBrick helps you prepare for and aligns with security controls described in them, supports audit evidence for your reviews, and surfaces findings relevant to your assessments without claiming certification or guarantees.

• Authentication — multi-method bypass, JWT misconfigurations (alg=none, HS256, expired, missing claims, sensitive data in claims), security headers, WWW-Authenticate compliance.
• BOLA / IDOR — sequential ID enumeration, active adjacent-ID probing.
• BFLA / Privilege Escalation — admin endpoint probing, role/permission field leakage.
• Property Authorization — over-exposure, internal field leakage, mass-assignment surface.
• Input Validation — CORS wildcard (with and without credentials), dangerous HTTP methods, debug endpoints.
• LLM / AI Security — 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, and token smuggling.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans (available from Starter tier upward), it supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a strict header allowlist: Authorization, X-API-Key, Cookie, and X-Custom-* headers.

middlebrick scan https://api.example.com --auth-type bearer --token YOUR_TOKEN

With Pro tier, you can schedule rescans every 6 hours, daily, weekly, or monthly. The scanner provides diff detection across scans to highlight new findings, resolved findings, and score drift, and it sends email alerts rate-limited to 1 per hour per API. HMAC-SHA256 signed webhooks are included, with auto-disable after 5 consecutive failures. The tool integrates via a Web Dashboard for reports and trends, a CLI (middlebrick npm package) with JSON or text output, a GitHub Action for CI/CD gating that fails the build when the score drops below your threshold, and an MCP Server for use with AI coding assistants. An API client enables custom integrations.

middleBrick operates read-only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; it is never sold and never used for model training. Note what the scanner does not do: it does not fix, patch, block, or remediate; it does not perform active SQL injection or command injection; it does not detect business logic vulnerabilities or blind SSRF; and it does not replace a human pentester for high-stakes audits.