Apigee for Fintech

Financial APIs process sensitive account data and transaction instructions, making their exposure high impact. This scanner assesses the security posture of endpoints without requiring code access or agents. It operates as a read-only black-box tool, exercising GET and HEAD methods and limited text-only POST probes to surface configuration and implementation risks.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, broken object level authorization, and data exposure. Findings map directly to PCI-DSS 4.0 and SOC 2 Type II controls, and support audit evidence for relevant requirements under these frameworks.

• Authentication — multi-method bypass, JWT misconfigurations, security headers, WWW-Authenticate compliance.
• BOLA / IDOR — sequential ID enumeration, active adjacent-ID probing.
• Data Exposure — PII patterns such as email and context-aware SSN, API key formats, error leakage.
• Input Validation — CORS wildcard with credentials, dangerous HTTP methods.
• SSRF — URL-accepting parameters, internal IP detection probes.
• LLM / AI Security — adversarial probes across Quick, Standard, and Deep tiers, including prompt injection and token smuggling.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to identify undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. Authenticated scans validate ownership through a domain verification gate, allowing Bearer, API key, Basic auth, and Cookie credentials when DNS TXT or HTTP well-known file verification passes. Only specified headers are forwarded to limit exposure.

middlebrick scan https://api.example.com/openapi.json --auth-type bearer --auth-token "REDACTED"

Pro tier enables scheduled rescans at six-hour, daily, weekly, or monthly intervals. It provides diff detection between scans to highlight new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after five consecutive failures. Integration options include a CLI, GitHub Action with CI/CD gating, and an MCP server for AI-assisted workflows.

middlebrick scan https://api.example.com/openapi.json --output json | jq '.score'

The scanner does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its read-only design. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or guarantee behavior under complex multi-step workflows. It is not a replacement for human-led penetration tests in high-stakes audit scenarios. The tool reports findings and provides remediation guidance but does not fix, patch, or block issues.