Alternatives to 42Crunch on FastAPI

middleBrick is a self-service API security scanner designed for black-box assessments. You submit a target URL and receive a risk score from A to F with prioritized findings. It requires no agents, no SDK integration, and no access to source code, making it applicable to any stack including FastAPI. Scan duration is under one minute, using read-only methods (GET and HEAD) plus text-only POST for LLM probes.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), relevant when evaluating FastAPI implementations. Detection includes authentication bypass attempts and JWT misconfigurations such as alg=none, weak secret choices, expired tokens, missing claims, and sensitive data in claims. It checks security headers and WWW-Authenticate compliance, probes for BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and tests for BFLA and privilege escalation through admin endpoint probing and role/permission field leakage.

Additional coverage includes property authorization over-exposure, input validation checks such as CORS wildcard usage with and without credentials and dangerous HTTP methods, rate-limiting header detection and oversized responses, data exposure patterns like emails, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. It also identifies error and stack-trace leakage, HTTPS redirect behavior, HSTS and cookie flags, mixed content, SSRF indicators in URL-accepting parameters and body fields, inventory issues such as missing versioning and legacy path patterns, unsafe consumption surfaces, and LLM/AI security probes across three scan tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For FastAPI services that expose an OpenAPI document, this enables mapping between declared interfaces and actual runtime behavior.

Authenticated scanning is available from the Starter tier and above. Supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers during scans.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan https://api.example.com with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a chosen threshold. An MCP Server enables scanning from AI coding assistants including Claude and Cursor, and a native API client supports custom integrations.

Pro tier adds continuous monitoring with configurable rescan intervals of 6 hours, daily, weekly, or monthly. It provides diff detection across scans to surface new findings, resolved findings, and score drift. Notifications include rate-limited email alerts (1 per hour per API) and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Enterprise tier supports unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

middleBrick operates with a conservative safety posture. It uses read-only methods only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and is not used for model training.

The tool does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which would require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require human domain understanding. Blind SSRF is out of scope due to the absence of out-of-band infrastructure, and the scanner does not replace a human pentester for high-stakes audits.

middleBrick maps findings to frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the scanner helps you prepare for and aligns with security controls described in relevant standards, supporting audit evidence without asserting certification or compliance guarantees. middleBrick is a scanning tool and not an auditor, so it cannot certify or ensure compliance with any regulation.