APIsec for Public APIs

This tool is a self-service API security scanner for public endpoints. You submit a URL and receive a risk score from A to F along with prioritized findings. It performs black-box testing only, requiring no agents, code access, or SDK integration. The scanner uses read-only methods (GET and HEAD) plus text-only POST for LLM probes, completing a scan in under a minute.

The scanner detects issues in 12 categories aligned to the OWASP API Top 10 (2023). It also maps findings to PCI-DSS 4.0 and SOC 2 Type II, and supports audit evidence for relevant controls.

• Authentication — multi-method bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims.
• BOLA / IDOR — sequential ID enumeration and active adjacent-ID probing.
• BFLA / Privilege Escalation — admin endpoint probing and role or permission field leakage.
• Property Authorization — over-exposure, internal field leakage, and mass-assignment surface.
• Input Validation — CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints.
• Rate Limiting & Resource Consumption — detection of rate-limit headers, oversized responses, and unpaginated arrays.
• Data Exposure — PII patterns including email, Luhn-validated card numbers, context-aware SSN, API key formats for AWS/Stripe/GitHub/Slack, and error or stack-trace leakage.
• Encryption — HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF — URL-accepting parameters and body fields, internal IP detection, and active IP-bypass probes.
• Inventory Management — missing versioning, legacy path patterns, and server fingerprinting.
• Unsafe Consumption — excessive third-party URLs and webhook/callback surface.
• LLM / AI Security — 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, and PII extraction.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Safety is maintained through read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, published as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing the build when the score drops below a chosen threshold. An MCP Server allows scanning from AI coding assistants like Claude and Cursor, and a flexible API client supports custom integrations.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to highlight new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures.

Pricing is tiered: Free at $0 with 3 scans per month and CLI access; Starter at $99 per month for 15 APIs, monthly scans, dashboard, email alerts, and MCP Server; Pro at $499 per month for 100 APIs with additional APIs priced at $7 each, including continuous monitoring, GitHub Action gates, CI/CD integration, Slack/Teams alerts, compliance reports, and signed webhooks; Enterprise at $2,000 per month for unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace human pentesters for high-stakes audits.

For other frameworks, this tool helps you prepare for and aligns with security controls described in relevant standards. It surfaces findings relevant to audits and supports evidence collection, but middleBrick is a scanning tool and cannot certify compliance.