APIsec review

This tool is a self-service API security scanner that accepts a target URL and returns a risk grade from A to F along with prioritized findings. It performs a black-box scan that requires no agents, SDKs, or code access and supports any language, framework, or cloud. Read-only methods such as GET and HEAD are used by default, with text-only POST reserved for LLM probes, and typical scans complete in under a minute.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023) and maps findings to PCI-DSS 4.0 and SOC 2 Type II. Coverage includes authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, property authorization and over-exposed fields, input validation issues such as CORS wildcard usage, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption and transport misconfigurations, SSRF indicators, inventory management deficiencies, unsafe consumption surfaces, and LLM / AI security probes across multiple scan tiers.

For frameworks outside this specific mapping, the tool helps you prepare for security reviews by aligning with security controls described in relevant standards and supports audit evidence for your assessments. OpenAPI 3.0, 3.1, and Swagger 2.0 specifications are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes or deprecated operations.

Authenticated scans are supported in plans above Starter and accept Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. A restricted header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner follows a strict read-only posture and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

Findings are available through a web dashboard that supports scanning, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action provides CI/CD gating by failing builds when scores drop below a defined threshold. An MCP server allows scans from AI coding assistants, and a programmatic API client supports custom integrations.

Pro tier adds scheduled rescans at intervals ranging from every six hours to monthly, diff detection across scans to highlight new or resolved findings, and email alerts rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are included with auto-disable after five consecutive failures. Enterprise tiers support unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain context best handled by human experts, and blind SSRF is out of scope due to the absence of out-of-band infrastructure checks.

It is not intended to replace a human pentester for high-stakes audits. The scanner surfaces findings relevant to defined frameworks and provides guidance, but it does not certify compliance or guarantee adherence to any regulatory regime.