Is 42Crunch good for Pentest scoping preparation?

Effective scoping requires a clear map of the API surface and a prioritized list of likely weaknesses before intrusive testing begins. middleBrick supplies that map as a black-box scanner that submits a URL and returns a risk grade and a ranked list of findings aligned to OWASP API Top 10. Because it runs without agents or SDKs, it can profile endpoints, authentication schemes, and parameter behaviors across languages and frameworks in under a minute. The output is intended to guide manual effort rather than replace it, helping you decide where deep manual testing adds the most value.

The scanner evaluates 12 categories that map directly to OWASP API Top 10, providing coverage useful for initial scoping. It checks authentication bypass paths, JWT misconfigurations such as alg=none or missing claims, and security header compliance including WWW-Authenticate. It probes for BOLA and IDOR via sequential ID patterns and active adjacent-ID checks, and tests for BFLA through admin endpoint discovery and permission field leakage. It identifies over-exposed properties and internal field leakage, detects CORS wildcards (with and without credentials), dangerous HTTP methods, and debug endpoints. Rate limiting is assessed through header detection and oversized response analysis, while data exposure checks include PII patterns, Luhn-validated card detection, API key fingerprinting, and error or stack trace leakage. It validates HTTPS redirects, HSTS, cookie flags, and mixed content, and enumerates SSRF indicators such as URL-accepting parameters and internal IP probes. Inventory management checks include missing versioning, legacy path patterns, and server fingerprinting, and unsafe consumption surfaces are surfaced through excessive third-party URLs and webhook exposure. LLM security is covered with 18 adversarial probes across Quick, Standard, and Deep tiers, testing system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution to compare the spec against runtime behavior. It flags undefined security schemes, sensitive fields that are not justified by the spec, deprecated operations, and missing pagination hints that imply unbounded data exposure. This contract-first view helps you understand deviations between intended and actual behavior, which is critical when defining test boundaries and exclusion rules for a pentest engagement. By highlighting areas where the implementation diverges from the published API contract, it supports focused manual validation during scoping.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not execute active SQL injection or command injection, as those tests fall outside its read-only design. Business logic vulnerabilities are outside scope, because they require domain context that an automated scanner cannot infer, and blind SSRF is also out of scope due to the absence of out-of-band infrastructure checks. The tool does not replace a human pentester for high-stakes audits, and you should still plan for manual validation of authentication flows, complex authorization matrices, and business-specific workflows. Use it to reduce noise and to ensure common categories are covered before deeper manual work begins.

Authenticated scanning on the Starter tier and above supports Bearer, API key, Basic auth, and Cookie methods, with domain verification enforced via DNS TXT or HTTP well-known file to ensure only the domain owner can submit credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*, reducing side effects during reconnaissance. Continuous monitoring on the Pro tier provides scheduled rescans every six hours, daily, weekly, or monthly, with diff detection that highlights new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can notify internal tooling, with auto-disable after five consecutive failures to prevent notification storms. These controls help you plan scoping activities around scan cadence and alerting thresholds.