APIsec for Echo

middleBrick is a self-service API security scanner that operates as a black-box solution. You submit an API URL and receive a risk score from A to F along with prioritized findings. The scanner uses only read-only methods such as GET and HEAD, plus text-only POST for LLM probes, and completes a scan in under one minute. No agents, SDKs, or code access are required, making it applicable to any language, framework, or cloud environment.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023) to support audit evidence for these frameworks. Detection areas include authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, property overexposure, input validation issues like CORS wildcard usage, rate limiting misconfigurations, data exposure including PII and API key leakage, encryption missteps, SSRF against URL-accepting parameters, inventory management gaps, and unsafe consumption surfaces. It also runs 18 adversarial LLM security probes across Quick, Standard, and Deep tiers targeting system prompt extraction, jailbreaks, and data exfiltration.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only domain owners can submit credentials. A strict header allowlist ensures only Authorization, X-API-Key, Cookie, and X-Custom-* headers are forwarded during testing.

The Web Dashboard centralizes scan results, score trends, and remediation guidance, with the option to download branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can act as a CI/CD gate, failing the build when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants like Claude and Cursor. For ongoing risk tracking, Pro tier customers can schedule rescans every six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved issues, and score drift, with email alerts limited to one per hour per API and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

middleBrick detects and reports findings with remediation guidance but does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection tests, which require intrusive payloads outside its scope. Business logic vulnerabilities are outside automated detection, as they require human understanding of the domain. Blind SSRF is not covered due to the absence of out-of-band infrastructure, and the tool does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking destructive payloads, filtering private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand within 30 days of cancellation. Customer data is never sold or used for model training.