APIsec for Fintech

Fintech environments process sensitive payment data and are subject to strict regulatory expectations. middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), providing observations that support audit evidence for these frameworks. The scanner focuses on authentication bypass, data exposure, and injection-related weaknesses common to payment APIs.

The scanner covers the OWASP API Top 10 (2023) with 12 categories relevant to financial services. Authentication checks include multi-method bypass and JWT misconfigurations such as alg=none and expired tokens. BOLA and BFLA tests probe ID enumeration and privilege escalation paths, while Property Authorization detects over-exposed internal fields. Input Validation assesses CORS wildcard usage and dangerous HTTP methods. Rate Limiting and Resource Consumption are evaluated via header detection and oversized responses. Data Exposure identifies PII patterns and API key formats, including AWS, Stripe, GitHub, and Slack keys. Encryption checks HTTPS redirects, HSTS, and cookie flags. SSRF detection targets URL-accepting parameters and internal IP probing. Inventory Management flags missing versioning and legacy paths. LLM / AI Security includes 18 adversarial probes across Quick, Standard, and Deep tiers, addressing prompt injection, data exfiltration, and token smuggling.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This helps teams verify that documented authentication and authorization rules align with actual endpoint behavior, reducing the risk of insecure interfaces in production.

Authenticated scanning is available from Starter tier onward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification requires DNS TXT record or HTTP well-known file proof to ensure only domain owners can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. The scanner uses read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and never used for model training.

The Web Dashboard centralizes scan management, report viewing, and score trend tracking, with branded compliance PDF exports. The CLI supports commands such as middlebrick scan <url> with JSON or text output. The GitHub Action enforces CI/CD gates by failing builds when scores drop below defined thresholds. The MCP Server enables scanning from AI coding assistants. Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection for new and resolved findings. Email alerts are rate-limited to one per hour per API, and webhooks use HMAC-SHA256 signing with auto-disable after five consecutive failures.