Alternatives to 42Crunch on Spring Boot

middleBrick is a self-service API security scanner that operates without agents, SDKs, or access to source code. You submit a target URL and receive a risk score from A to F with prioritized findings. Because it is black-box, it works with any language, framework, or cloud environment, including Spring Boot services.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023). It checks authentication bypasses and JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It probes BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Other categories include property authorization over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure including PII and API key formats, encryption and HTTPS hygiene, SSRF indicators, inventory issues such as missing versioning, unsafe consumption surfaces, and LLM/AI security probes across three scan tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans on the Starter tier and above, Bearer, API key, Basic auth, and Cookie methods are supported. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can run authenticated scans. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

With Pro tier, scans can be scheduled every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between runs. Alerts are sent via email at a rate-limited frequency of 1 per hour per API, and HMAC-SHA256 signed webhooks disable automatically after 5 consecutive failures. The tool integrates into existing workflows through a web dashboard for reporting and trend tracking, a CLI via the middlebrick npm package, a GitHub Action that can fail CI/CD builds based on a score threshold, and an MCP Server for use with AI coding assistants. An API client enables custom integrations.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. Security findings should be validated within the context of your application and domain logic.