Alternatives to 42Crunch for GraphQL gateway audit

Try middleBrick free

What middleBrick covers

  • Black-box GraphQL and REST endpoint scanning with under one minute runtime
  • Detection of authentication bypass and JWT misconfigurations
  • BOLA and IDOR identification via sequential and adjacent ID probing
  • Schema and spec cross-validation against OpenAPI and Swagger definitions
  • Authenticated scanning with strict header allowlist and domain verification
  • Compliance evidence mapping to PCI-DSS, SOC 2, and OWASP API Top 10

Purpose and scope of GraphQL gateway auditing

This tool targets GraphQL gateway and subgraph audit scenarios where the gateway exposes a unified endpoint but the underlying services remain independently versioned and deployed. It focuses on API surface risks such as schema introspection, query complexity, authorization at the gateway, and transport security. The scanner does not validate business logic or deep contract correctness between clients and services.

GraphQL-specific detections and OWASP API Top 10 alignment

GraphQL queries and mutations are inspected alongside transport and schema metadata to surface findings aligned with the OWASP API Top 10 (2023). Relevant detections include:

  • Authentication issues around JWT validation, alg=none, and malformed tokens in gateway-forwarded headers.
  • BOLA and IDOR via ID pattern probing where numeric or UUID identifiers are predictable across resources.
  • Property authorization risks from overly broad selection sets that expose internal fields or sensitive data.
  • Input validation gaps including unsafe query depth, excessive complexity, and CORS misconfigurations that allow credentials with wildcards.
  • Data exposure through error and stack trace leakage, sensitive API key formats, and PII patterns embedded in responses.

OpenAPI and schema cross-referencing

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution to compare the declared GraphQL and REST contract against observed runtime behavior. Findings highlight undefined security schemes, deprecated operations, missing pagination, and fields returned beyond what the spec defines. This cross-reference helps identify discrepancies between gateway documentation and actual responses.

Authenticated scanning and header controls

Authenticated scanning is available from Starter tier onward. Supported methods include Bearer tokens, API keys, Basic auth, and Cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can submit credentials. The scanner forwards a restricted allowlist of headers, limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers, preventing accidental data leakage through unexpected channels.

Remediation guidance and compliance framing

Findings include prioritized risk scores and remediation guidance to help teams address issues efficiently. The results map directly to compliance evidence for PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the tool helps you prepare for audits by surfacing findings relevant to controls described in security policies, but it does not certify or guarantee compliance with HIPAA, GDPR, ISO 27001, NIST, or similar regulatory frameworks.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can the scanner test deeply nested GraphQL queries for injection issues?
It focuses on structural risks such as query depth and complexity rather than deep injection payloads. Intrusive injection testing is outside scope and requires human expertise.
Does the tool perform active SQL or command injection against GraphQL resolvers?
No. The scanner uses read-only methods and avoids destructive payloads. SQL or command injection testing is not performed.
What is required to run authenticated scans?
You need valid credentials for Bearer, API key, Basic auth, or Cookies, plus domain verification via DNS TXT record or a well-known file to prove control.
How does the scanner handle schema evolution over time?
Continuous monitoring (Pro tier) tracks diffs across scans, highlighting new findings, resolved issues, and score drift to support ongoing governance.

Related Pages

Alternatives to DetectifyViable alternatives to Detectify for API security — including middleBrick.Alternatives to Noname SecurityViable alternatives to Noname Security for API security — including middleBrick.Alternatives to Salt SecurityViable alternatives to Salt Security for API security — including middleBrick.