Alternatives to 42Crunch on Sails.js

middleBrick is a self-service API security scanner designed for frameworks where source access is unavailable or impractical. For Sails.js applications, it operates as a black-box scanner: you submit a URL and receive a risk score from A to F with prioritized findings. The scanner uses only read-only methods (GET and HEAD) plus text-only POST for LLM probes, so it does not require code access, SDK integration, or agents. Scan completion typically occurs in under a minute, regardless of whether the backend uses JavaScript, TypeScript, or any other language.

middleBrick maps findings directly to OWASP API Top 10 (2023) and supports audit evidence for SOC 2 Type II and PCI-DSS 4.0. For Sails.js APIs, it detects issues across 12 categories. Authentication checks cover multi-method bypass and JWT misconfigurations such as alg=none, weak shared secrets, expired tokens, missing claims, and sensitive data in claims. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) are tested via sequential ID enumeration, adjacent-ID probing, admin endpoint probing, and role or permission field leakage. Input validation includes CORS wildcard detection with and without credentials, dangerous HTTP methods, and debug endpoints. Additional coverage includes SSRF probes against URL-accepting parameters, rate-limit header detection, PII patterns (email, Luhn-validated card numbers, context-aware SSN), and API key formats for AWS, Stripe, GitHub, and Slack. Encryption checks validate HTTPS redirects, HSTS, and cookie flags. The scanner also assesses inventory management issues such as missing versioning and legacy path patterns, unsafe consumption surfaces, and LLM-specific adversarial probes across quick, standard, and deep tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions for Sails.js projects, resolving recursive $ref references. It cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can run credentialed scans. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to minimize exposure during testing.

With Pro tier, Sails.js APIs can be placed under continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. The system detects diffs between scans, highlighting new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API and can be delivered via Slack or Teams. HMAC-SHA256 signed webhooks notify external systems, with auto-disable after five consecutive failures. Integration options include a web dashboard for tracking score trends, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action to fail CI/CD builds when scores drop below a threshold, and an MCP Server for use with AI coding assistants. Programmatic access is available through an API client for custom integrations.

middleBrick is a scanner and does not fix, patch, block, or remediate findings. It provides detection and guidance, not active exploitation. For Sails.js APIs, it does not perform intrusive payloads such as active SQL injection or command injection, as those fall outside its read-only scope. It does not detect business logic vulnerabilities, which require domain-specific human analysis, nor does it perform blind SSRF testing that depends on out-of-band infrastructure. Destructive payloads are never sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training.