APIsec for Gaming

Gaming backends expose REST and GraphQL endpoints for player data, leaderboards, purchases, and matchmaking. middleBrick is a self-service API security scanner that assesses these surfaces without requiring code access or agents. You submit a URL, and within under a minute you receive a risk score from A to F with prioritized findings. The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes, making it suitable for any language, framework, or cloud setup common in games infrastructure.

middleBrick maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The tool detects issues across 12 categories aligned to OWASP API Top 10, which supports audit evidence for security reviews relevant to gaming platforms. Specific checks include authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, business logic flaws related to admin or privilege paths, over-exposed properties and mass-assignment surfaces, input validation around CORS wildcards and dangerous methods, rate limiting and oversized responses, exposure of PII such as email and context-aware SSN, insecure transmission via missing HSTS or mixed content, SSRF against URL-accepting parameters, inventory issues like missing versioning, unsafe consumption surfaces including webhooks, and LLM/AI security probes spanning system prompt extraction and jailbreak techniques.

With Starter tier and above, authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies. Access is gated by domain verification, ensuring only the domain owner can scan with credentials. The scanner forwards a strict header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Destructive payloads are never sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. You can integrate via the CLI with middlebrick scan <url>, outputting JSON or text, or through the web dashboard for reports and score trends. The GitHub Action can gate CI/CD, failing the build when the score drops below your threshold, and the MCP Server enables scanning from AI coding assistants. An API client is available for custom integrations and continuous monitoring setups such as scheduled rescans and diff detection across scans.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope. Business logic vulnerabilities require human domain expertise, and blind SSRF is out of scope due to the lack of out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits. For gaming titles with complex economies or anti-cheat mechanisms, use these results as one input into a broader security strategy.