Nessus review

This tool is a self-service API security scanner that accepts a URL and returns a risk grade from A to F along with prioritized findings. It performs a black-box assessment, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud target. Read-only methods such as GET and HEAD are used, with text-only POST allowed for LLM probes, and typical scans complete in under a minute.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to three specific frameworks: coverage of requirements of PCI-DSS 4.0, validation of controls from SOC 2 Type II, and direct mapping of findings to OWASP API Top 10. Other regulations are addressed through alignment only; the tool helps you prepare for and supports audit evidence for those frameworks without claiming certification or compliance.

• Authentication covers multi-method bypass, JWT misconfigurations such as alg=none and HS256, expired or missing claims, and security header and WWW-Authenticate compliance.
• BOLA and IDOR detection includes sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation checks involve admin endpoint probing and role or permission field leakage.
• Property authorization findings address over-exposure, internal field leakage, and mass-assignment surface.
• Input validation tests for CORS wildcard configurations with and without credentials, dangerous HTTP methods, and debug endpoints.
• Rate limiting and resource consumption checks examine rate-limit headers, oversized responses, and unpaginated arrays.
• Data exposure identifies PII patterns including email, Luhn-validated card numbers, context-aware SSN formats, common API key formats, and error or stack-trace leakage.
• Encryption checks HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF detection covers URL-accepting parameters and body fields, internal IP detection, and active IP-bypass probes.
• Inventory management evaluates missing versioning, legacy path patterns, and server fingerprinting.
• Unsafe consumption flags excessive third-party URLs and webhook or callback surface.
• LLM and AI security includes 18 adversarial probes across Quick, Standard, and Deep tiers, testing system prompt extraction, instruction override, jailbreaks, data exfiltration, cost exploitation, encoding bypasses, injection techniques, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime findings to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, which require Starter tier or higher, supported methods include Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate, such as a DNS TXT record or an HTTP well-known file, ensures that only the domain owner can run authenticated scans. The scanner forwards a restricted set of headers, allowing only Authorization, X-API-Key, Cookie, and X-Custom-*.

middlebrick scan https://api.example.com --auth-type bearer --token YOUR_TOKEN --output json

The Web Dashboard provides a centralized view to run scans, review reports, track score trends over time, and download branded compliance PDFs. The CLI, distributed as an npm package, enables scriptable assessments with JSON or text output using a simple scan command. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. An MCP server allows integration with AI coding assistants such as Claude and Cursor. An API client offers programmatic access for custom workflows.

Pro tier adds continuous monitoring with configurable intervals of every 6 hours, daily, weekly, or monthly. It performs diff detection across scans to highlight new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can be configured to auto-disable after 5 consecutive failures. Enterprise tier supports unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

The scanner adopts a read-only methodology and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation; data is never sold and is not used for model training.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which falls outside its non-intrusive scope. Business logic vulnerabilities are not detected, as they require domain-specific human analysis. Blind SSRF is out of scope due to the lack of out-of-band infrastructure, and the scanner does not replace a human pentester for high-stakes audits.