Alternatives to 42Crunch for API marketplace listing prep

This tool is a self-service API security scanner designed for marketplace listing preparation. Submit a URL and receive a risk score from A to F with prioritized findings. The scanner operates as a black-box solution, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud. Each scan completes in under a minute using read-only methods (GET and HEAD) plus text-only POST for LLM probes. It does not fix, patch, block, or remediate; it detects and reports findings alongside remediation guidance.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, and it supports audit evidence for other frameworks through alignment of security controls described in them. Coverage includes:

• Authentication bypasses, JWT misconfigurations such as alg=none, HS256, expired or missing claims, and security header compliance.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing and role/permission field leakage.
• Property authorization issues like over-exposure and mass-assignment surface.
• Input validation checks for CORS wildcard usage, dangerous HTTP methods, and debug endpoints.
• Rate limiting and resource consumption indicators, including rate-limit headers and oversized responses.
• Data exposure patterns such as emails, Luhn-validated card numbers, context-aware SSNs, API key formats, and error or stack-trace leakage.
• Encryption signals including HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF indicators involving URL-accepting parameters, internal IP detection, and active IP-bypass probes.
• Inventory management signals like missing versioning and legacy path patterns.
• Unsafe consumption surfaces, including excessive third-party URLs and webhook/callback endpoints.
• LLM and AI security with adversarial probes across Quick, Standard, and Deep scan tiers, targeting system prompt extraction, instruction override, jailbreaks, data exfiltration, token smuggling, and related risks.

OpenAPI analysis is included for OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted allowlist of headers: Authorization, X-API-Key, Cookie, and X-Custom-*.

Safety is maintained through read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; it is never sold and never used for model training.

Integrations include a Web Dashboard for scanning, viewing reports, tracking score trends, and downloading branded compliance PDFs. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing the build when the score drops below a threshold. An MCP Server allows scanning from AI coding assistants like Claude and Cursor.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift. Email alerts are rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures.

Pricing tiers include a free plan with 3 scans per month and CLI access, Starter at $99 per month for 15 APIs, Pro at $499 per month for 100 APIs with continuous monitoring and CI/CD integration, and Enterprise at $2000 per month for unlimited APIs and dedicated support. The tool is a scanner that detects and reports; it does not replace a human pentester for high-stakes audits.

It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or guarantee mappings to regulations such as HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, or FERPA. For these frameworks, it helps you prepare for audits by surfacing findings relevant to security controls described in their requirements.