Alternatives to 42Crunch for ISO 27001 API control evidence

ISO 27001 requires demonstrable control over information security risks related to information assets, including those exposed through APIs. middleBrick provides a black-box API security scanner designed to surface findings that support evidence for selected controls under ISO 27001. The tool focuses on runtime behavior using read-only methods and does not attempt to fix, patch, or remediate issues. It is intended to help you prepare for audits by highlighting misconfigurations and exposures relevant to your control inventory.

middleBrick maps findings to three primary frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For ISO 27001, it supports audit evidence for controls such as A.9 (Access Control) and A.14 (System Acquisition), particularly around authentication, authorization, input validation, and data exposure. The scanner surfaces findings relevant to these controls by detecting issues like weak authentication, excessive data exposure, and missing authorization checks, enabling you to link specific observations to control objectives.

The scanner checks authentication bypass attempts, JWT misconfigurations such as alg=none or missing claims, and security header compliance. It validates authorization by probing for BOLA/IDOR via sequential ID enumeration and adjacent ID probing, and BFLA through admin endpoint discovery and role/permission leakage. Authenticated scans using Bearer tokens, API keys, Basic auth, or cookies require domain verification to ensure only the domain owner initiates scans, with a strict allowlist of headers forwarded to the API.

middleBrick detects input validation weaknesses such as CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. It identifies data exposure risks including PII patterns, valid credit card numbers, API key formats, and error or stack trace leakage. Safety controls include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, ensuring no destructive payloads are transmitted during scans.

The scanner includes LLM / AI security testing with 18 adversarial probes across Quick, Standard, and Deep tiers. These probes cover system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration scenarios, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Each tier increases probe depth while remaining read-only.