Is 42Crunch good for API marketplace listing prep?

API marketplace listing preparation favors tools that validate surface risks without requiring code changes or runtime instrumentation. middleBrick operates as a black-box scanner that submits read-only requests to an endpoint and returns a normalized risk score with prioritized findings. The scanner completes in under a minute and does not modify, patch, or block any system behavior. Its role is detection and reporting, with remediation guidance provided for each finding.

middleBrick maps findings directly to OWASP API Top 10 (2023), supporting audit evidence for control validation under that framework. Findings also align with PCI-DSS 4.0 requirements relevant to authentication, session management, and error handling, and map to security control families described in SOC 2 Type II. The tool checks authentication bypass paths, JWT misconfigurations such as alg=none and expired tokens, CORS wildcard usage, sensitive data exposure including PII and API key patterns, and SSRF probes targeting internal infrastructure.

The scanner includes an LLM / AI Security category with 18 adversarial probes executed across three scan tiers: Quick, Standard, and Deep. These probes test for system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration techniques, cost exploitation, encoding bypasses such as base64 and ROT13, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction. Each category is reported with request context and actionable guidance.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 files and resolves recursive $ref references to compare the specification against runtime behavior. This helps surface undefined security schemes, deprecated operations, missing pagination, and sensitive fields not reflected in the contract. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported, and domain verification via DNS TXT record or HTTP well-known file ensures that only domain owners can submit credentials. The scanner forwards a restricted allowlist of headers and does not attempt intrusive exploitation.

middleBrick does not fix, patch, block, or remediate findings; it reports and provides guidance. It does not execute active SQL injection or command injection tests, as those fall outside its read-only design. Business logic vulnerabilities and blind SSRF are also out of scope, and the tool does not replace a human pentester for high-stakes audits. Continuous monitoring options in higher tiers enable scheduled rescans, diff detection, HMAC-SHA256 signed webhooks, and email alerts to track score drift over time.