Is 42Crunch good for OWASP API Top 10 2023 audit?

middleBrick maps findings directly to OWASP API Top 10 2023 through automated detection of the canonical controls. The scanner covers authentication flaws, including multi-method bypass and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in token payloads. It detects authorization issues like BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA or privilege escalation through admin endpoint probing and role/permission field leakage. Input validation checks include CORS wildcard configurations (with and without credentials), dangerous HTTP methods, and debug endpoints. Data exposure detection targets PII patterns, including email, Luhn-validated card numbers, context-aware SSN formats, and API key formats for AWS, Stripe, GitHub, and Slack, alongside error and stack-trace leakage. Additional coverage includes security headers, HTTPS redirect, HSTS, cookie flags, mixed content, SSRF indicators in URL-accepting parameters and body fields, internal IP and cloud metadata bypass attempts, missing versioning and legacy path patterns, unsafe consumption surfaces, and LLM/AI security probes aligned to the LLM injection and jailbreak class.

middleBrick is a black-box scanner that requires no agents, SDKs, or code access and works with any language, framework, or cloud. Scan time is under a minute using read-only methods (GET and HEAD) plus text-only POST for LLM probes. This approach supports continuous monitoring with scheduled rescans and diff detection across scans to surface new findings, resolved findings, and score drift. However, the method does not perform active SQL injection or command injection, which require intrusive payloads outside scope. It does not detect business logic vulnerabilities, which demand human understanding of domain workflows, nor blind SSRF, which relies on out-of-band infrastructure. The tool also does not replace a human pentester for high-stakes audits. These limitations are expected characteristics of a scanning service rather than defects.

Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT record or HTTP well-known file checks to ensure only the domain owner can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety posture is inherent to the design: only read-only methods are used, destructive payloads are never sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand, purged within 30 days of cancellation, and is never sold or used for model training.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This helps identify discrepancies between declared surface and observed behavior. The tool supports integration into existing workflows via a web dashboard for scan management and trend tracking, a CLI with JSON or text output, a GitHub Action that can fail builds based on score thresholds, an MCP server for AI coding assistants, and a programmable API for custom integrations. These options allow teams to embed checks into development pipelines without requiring changes to language or deployment targets.

middleBrick maps findings to three specific frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 2023. For other regulations, the scanner helps you prepare for, aligns with security controls described in, or supports audit evidence for frameworks such as HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, and FERPA. This alignment is informational and does not imply certification, guaranteed compliance, compliance with, ensures compliance with, meets all requirements of, or equivalent claims. The product is a scanner, not an auditor, and cannot certify any organization. Pricing follows a tiered model from free with 3 monthly scans to Pro with continuous monitoring and enterprise with unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.