Alternatives to APIsec on Grape

middleBrick is a self-service API security scanner that operates without agents, SDKs, or access to source code. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scanner supports any language, framework, or cloud stack because it probes the live API surface using read-only methods such as GET and HEAD, plus text-only POST for LLM probes. Scan completion typically occurs in under a minute, making it practical to run frequently during development and before releases.

The scanner maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II by design. Detection capabilities span authentication bypass and JWT misconfigurations, including alg=none and weak key usage; BOLA and IDOR via sequential ID enumeration; BFLA and privilege escalation through admin endpoint probing; property over-exposure and mass-assignment surfaces; input validation checks such as CORS wildcard usage and dangerous HTTP methods; rate-limiting header analysis and oversized response detection; PII patterns like emails and context-aware SSNs, plus API key leakage across AWS, Stripe, GitHub, and Slack; HTTPS and HSTS validation; SSRF indicators involving internal IP probing; and inventory issues such as missing versioning. For LLM-facing APIs, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers to surface system prompt extraction, instruction override, jailbreak attempts, data exfiltration patterns, and token smuggling.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to highlight undefined security schemes, deprecated operations, and missing pagination. Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, minimizing unnecessary data exposure during tests.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection that highlights new findings, resolved issues, and score drift. Alerts are delivered via email at a rate-limited cadence of one per hour per API, and HMAC-SHA256 signed webhooks include auto-disable after five consecutive failures to prevent alert storms. Integration paths include a web dashboard for managing scans and exporting branded compliance PDFs, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action that can fail CI/CD builds when scores drop below a threshold, and an MCP server for use with AI coding assistants. Programmatic access through an API client enables custom workflows and integration with existing security tooling.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It avoids active SQL injection or command injection tests, does not detect business logic vulnerabilities, and cannot perform blind SSRF testing due to the absence of out-of-band infrastructure. It is not intended to replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.