APIsec for Platform engineers

This scanner is designed for platform teams that need fast, low-friction insight into external and internal APIs without integrating an agent. You submit an API endpoint, receive a risk score from A to F, and get prioritized findings with remediation guidance. The workflow is read-only: GET and HEAD are used by default, with text-only POST allowed for LLM probes. Scan completion typically occurs in under a minute, enabling quick checks during design reviews or before merges.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection covers authentication bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role leakage. Input validation checks include CORS wildcard configurations with and without credentials, dangerous HTTP methods, and debug endpoints. Data exposure looks for PII patterns including email, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. Encryption checks validate HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and internal IP detection. The scanner also covers inventory issues like missing versioning and server fingerprinting, unsafe consumption surfaces, and 18 LLM/AI adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, jailbreaks, and token smuggling.

It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The header allowlist is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to reduce unintended data exposure.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, published as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing the build when the score drops below a configured threshold. An MCP Server allows scans from AI coding assistants like Claude and Cursor. Programmatic access is available via an API client for custom integrations. Continuous monitoring in Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, hourly rate-limited email alerts, HMAC-SHA256 signed webhooks, and auto-disable after 5 consecutive failures.

The scanner does not fix, patch, block, or remediate; it detects and reports with guidance. It does not perform active SQL injection or command injection, which require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain context best handled by humans. Blind SSRF is out of scope due to the lack of out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints across multiple layers, and deleting customer scan data on demand within 30 days of cancellation.