Migrating from 42Crunch to Lasso Security

Migrating from a prior scanner to middleBrick centers on preserving scan coverage while changing the toolchain interface. This guide compares detection capabilities, export formats, and operational workflows without asserting equivalence between products.

Compare the 12 OWASP API Top 10 categories the prior solution reports against middleBrick coverage. Both cover authentication bypass, IDOR, privilege escalation, and data exposure such as PII and API key patterns. MiddleBrick adds LLM security probes with tiered adversarial testing and OpenAPI contract checks that map findings to spec definitions and runtime behavior.

• Authentication methods including JWT alg=none, expired tokens, and missing claims.
• BOLA and IDOR via sequential ID enumeration and adjacent-ID probing.
• BFLA and property over-exposure through admin endpoint probing.
• Input validation checks for CORS wildcard usage and dangerous methods.
• Rate limiting signals, oversized responses, and unpaginated arrays.
• Data exposure patterns including Luhn-validated cards and error leakage.
• HTTPS enforcement, HSTS, and secure cookie flags.
• SSRF probes targeting URL-accepting parameters and internal IPs.
• Inventory issues like missing versioning and legacy paths.
• Unsafe consumption surface and excessive third-party endpoints.
• LLM security with system prompt extraction and jailbreak probes.

For frameworks where the prior tool provided raw spec exports, middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings.

Initiate a scan by submitting a target URL. MiddleBrick operates as a black-box scanner using read-only methods and completes in under a minute. Authenticated scanning requires domain ownership verification through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials.

Supported auth types include Bearer tokens, API keys, Basic auth, and Cookies. The scanner forwards only a header allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers. Compared to the prior tool, middleBrick exposes the same auth surface with stricter origin checks and no code instrumentation.

middlebrick scan https://api.example.com

Results appear in the web dashboard with a letter-grade risk score and prioritized findings. You can download branded compliance PDFs aligned with PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The CLI offers JSON and text output for scripting, and the GitHub Action fails builds when scores drop below a configured threshold.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved items, and score drift. Alerts are rate-limited to one email per hour per API, and webhooks use HMAC-SHA256 signing with auto-disable after five consecutive failures. MCP Server support allows scans from AI coding assistants, and the API client supports custom integrations.

Migrate existing CI wiring by replicating trigger conditions and threshold values used with the prior tool. Export formats should be mapped to middleBrick schemas, and any custom thresholds should be reconfigured in the dashboard or CI definitions.

MiddleBrick does not fix, patch, block, or remediate findings. It detects and reports with remediation guidance, and it does not perform intrusive payloads such as active SQL injection or command injection. Business logic vulnerabilities and blind SSRF are out of scope, and the tool does not replace a human pentester for high-stakes audits.

Destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and never used for model training.

When migrating, plan for re-validation of exclusion rules and internal network filters that may have blocked certain test traffic under the previous solution.