Cheapest API pentesting tool

This tool is a black-box API security scanner. You submit a URL and receive a risk score from A to F with prioritized findings. It performs read-only operations using GET and HEAD, and text-only POST for LLM probes. No agents, SDKs, or code access are required, and scans typically complete in under one minute.

The scanner detects issues across 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, and it supports audit evidence collection for other frameworks through alignment of security controls described in those frameworks.

• Authentication — multi-method bypass, JWT misconfigurations such as alg=none, HS256, expired or missing claims, and sensitive data in claims.
• BOLA / IDOR — sequential ID enumeration and active adjacent-ID probing.
• BFLA / Privilege Escalation — admin endpoint probing and role or permission field leakage.
• Property Authorization — over-exposure, internal field leakage, and mass-assignment surface.
• Input Validation — CORS wildcard with and without credentials, dangerous HTTP methods, and debug endpoints.
• Rate Limiting & Resource Consumption — rate-limit header detection, oversized responses, and unpaginated arrays.
• Data Exposure — PII patterns including email, Luhn-validated card numbers, context-aware SSN patterns, API key formats for AWS, Stripe, GitHub, and Slack, and error or stack-trace leakage.
• Encryption — HTTPS redirect, HSTS, cookie flags, and mixed content.
• SSRF — URL-accepting parameters and body fields, internal IP detection, and active IP-bypass probes.
• Inventory Management — missing versioning, legacy path patterns, and server fingerprinting.
• Unsafe Consumption — excessive third-party URLs and webhook/callback surface.
• LLM / AI Security — 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypass, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, and PII extraction.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward. Supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. The scanner forwards a restricted set of headers: Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard provides scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a chosen threshold. An MCP Server enables scanning from AI coding assistants such as Claude and Cursor, and a programmatic API client supports custom integrations.

Pro tier adds continuous monitoring with configurable rescan intervals of 6 hours, daily, weekly, or monthly. It provides diff detection between scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Enterprise tier supports unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

The scanner uses read-only methods only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is not sold and is never used for model training.

The tool does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits.