Alternatives to 42Crunch on Hapi

middleBrick is a self-service API security scanner designed for black-box assessment. Submit a URL that hosts Hapi endpoints and receive a risk score from A to F with prioritized findings. The scanner uses only read-only methods (GET and HEAD) plus text-only POST for LLM probes, requires no agents or SDK integration, and completes in under a minute. This approach works regardless of whether Hapi services are implemented in JavaScript or TypeScript, and without access to source code or runtime internals.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), relevant for Hapi APIs. Detection capabilities include authentication bypass and JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, property over-exposure and mass-assignment surfaces, input validation checks like CORS wildcard usage, rate-limiting header analysis, data exposure patterns including PII and API key formats, encryption and header hygiene, SSRF probes against URL-accepting parameters, and inventory issues such as missing versioning. For LLM-facing Hapi services, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers to assess system prompt extraction, instruction override, jailbreak techniques, data exfiltration, and token smuggling.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 specs with recursive $ref resolution for Hapi services. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning is supported via Bearer, API key, Basic auth, and Cookies, with a domain verification gate to ensure only domain owners can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to minimize exposure during assessment.

With Pro tier capabilities, middleBrick supports scheduled rescans every 6 hours, daily, weekly, or monthly for Hapi APIs. It provides diff detection across scans to surface new findings, resolved issues, and score drift. Alerts are delivered via email at a rate-limited frequency of 1 per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures. Integration options include a CLI (middlebrick scan <url>) with JSON or text output, a GitHub Action that can fail builds based on score thresholds, an MCP server for AI coding assistants, and a programmatic API for custom workflows.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits. The tool helps you prepare for compliance with security frameworks and supports audit evidence collection. It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and aligns with security controls described in other regulatory frameworks without asserting certification or compliance guarantees.