Alternatives to 42Crunch on Hanami

middleBrick is a self-service API security scanner that operates as a black-box tool. You submit a target URL and receive a risk score from A to F along with prioritized findings. It requires no agents, no SDK integration, and no access to your source code. The scanner supports any language and framework, including Hanami, Sinatra, Rails, and other Ruby stacks. It only issues read-only methods such as GET and HEAD, and text-only POST for LLM probes, completing most scans in under a minute.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023). It detects authentication bypasses and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, and missing claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing. BFLA and privilege escalation are found through admin endpoint probing and role/permission field leakage. Property over-exposure, input validation issues like CORS wildcard usage, rate-limit header inconsistencies, and data exposure patterns including PII and API keys are also surfaced. Other categories include encryption misconfigurations, SSRF indicators, inventory issues, unsafe consumption surfaces, and LLM/AI security probes across multiple tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, it supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard provides scan management, score trend tracking, and downloadable branded compliance PDFs. The CLI, available as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD pipelines, failing when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants. Continuous monitoring in Pro tier includes scheduled rescans, diff detection for new and resolved findings, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

middleBrick adopts a read-only posture and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. The tool does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace human pentesters for high-stakes audits. Its role is to detect and report findings with remediation guidance.