Alternatives to APIsec on Phoenix

middleBrick is a self-service API security scanner that operates as a black-box solution. Submit a target URL and receive a risk score from A to F with prioritized findings. The scanner only uses read-only methods such as GET and HEAD, and text-only POST for LLM probes, ensuring no changes are made to the environment. Scan completion typically occurs under one minute, and no agents, SDKs, or code access are required to analyze any language, framework, or cloud stack.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It detects authentication bypass and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR through sequential ID enumeration and active adjacent-ID probing, and BFLA via admin endpoint probing and privilege escalation indicators. Additional coverage includes property authorization over-exposure, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting misconfigurations, and data exposure patterns such as PII, API key formats, and error leakage. The tool also covers encryption hygiene, SSRF indicators, inventory management deficiencies, unsafe consumption surfaces, and LLM/AI adversarial probes spanning multiple tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file, allowing only the domain owner to run credentialed scans. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* to minimize exposure during assessment.

The Web Dashboard centralizes scan management, enabling review of findings, tracking score trends, downloading branded compliance PDFs, and managing API inventories. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output options. Integration options include a GitHub Action that acts as a CI/CD gate, failing builds when the score drops below a defined threshold, and an MCP Server for use with AI coding assistants. Continuous monitoring in higher tiers provides scheduled rescans at intervals ranging from every six hours to monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), helping you prepare for security reviews and audit evidence collection. The scanner does not perform intrusive exploitation such as active SQL injection or command injection, as those fall outside its black-box scope. It also does not detect business logic vulnerabilities, blind SSRF, or replace human pentesters for high-stakes engagements. Safety controls include read-only testing, blocking private IPs, localhost, and cloud metadata endpoints across multiple layers, and providing on-demand data deletion with purging within 30 days of cancellation.