APIsec for Security architects

APIsec provides a black-box security assessment that requires no agents, SDKs, or code access. You submit an API endpoint and receive a risk score from A to F along with prioritized findings. The scanner exercises only read-safe methods such as GET and HEAD, and text-only POST for LLM probes, ensuring no destructive operations are performed. Scan duration is under one minute, making it suitable for frequent checks during development and pre-deployment.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and data exposure patterns like emails, Luhn-validated card numbers, and API keys for AWS, Stripe, GitHub, and Slack. It also detects CORS misconfigurations, unsafe HTTP methods, debug endpoints, rate-limit header issues, SSRF indicators involving internal IP probes, missing versioning, and LLM-specific adversarial tests including system prompt extraction and jailbreak techniques.

For each finding, the tool maps findings to OWASP API Top 10 (2023) and references relevant controls that support SOC 2 Type II and PCI-DSS 4.0 audit evidence. Findings include detailed descriptions, severity indicators, and remediation guidance to help your team triage and address issues.

APIsec parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. This comparison highlights discrepancies between documented expectations and actual endpoint behavior.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Authentication is gated by domain verification using DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist is enforced, permitting only Authorization, X-API-Key, Cookie, and X-Custom-* headers to be forwarded during the scan.

The Web Dashboard centralizes scan management, report viewing, score trend analysis, and branded compliance PDF downloads. The CLI, distributed as an npm package named middlebrick, enables local scans with command syntax such as middlebrick scan https://api.example.com, supporting JSON or plain text output. A GitHub Action is available to integrate scanning into CI/CD pipelines, failing the build when the score drops below a defined threshold.

Pro tier adds continuous monitoring with scheduled rescans at six-hour, daily, weekly, or monthly intervals. It provides diff detection between scans, highlighting new findings, resolved issues, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after five consecutive failures to reduce noise.

Scan data is deletable on demand and purged within 30 days of cancellation. Customer data is never sold and is not used for model training. The scanner blocks private IPs, localhost, and cloud metadata endpoints at multiple layers to prevent internal probing. All tests are read-only, and no active exploitation payloads such as SQL injection or command injection are used.

Because business logic vulnerabilities require domain context, they are not detectable by automated scanning. Blind SSRF that relies on out-of-band infrastructure is also out of scope, and the tool does not replace a human pentester for high-stakes audits. These limitations are documented to set clear expectations for security teams.