API security for AppSec engineers

This scanner is a read-only assessment service for HTTP APIs. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scan uses black-box techniques only: no agents, no SDKs, and no access to source code or runtime environments. It supports any language, framework, or cloud deployment. All destructive payloads are excluded, and the scan completes in under one minute using GET, HEAD, and text-only POST methods.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0 and SOC 2 Type II controls and validates security controls referenced in OWASP API Top 10. Detection capabilities include authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, sensitive data exposure such as PII and API keys, input validation issues like CORS misconfigurations and dangerous methods, rate limiting characteristics, SSRF indicators, inventory and versioning issues, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths. OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and spec findings are cross-referenced against runtime behavior.

Authenticated scanning is available starting with the Starter tier. Supported methods include Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is required via DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist is enforced, permitting only Authorization, X-API-Key, Cookie, and X-Custom-* headers. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers to prevent unintended internal probing.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and export of branded compliance PDFs. The CLI, published as an npm package named middlebrick, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is provided to act as a CI/CD gate, failing the build when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants, and a programmable API supports custom integrations. Continuous monitoring (Pro tier) adds scheduled rescans, diff detection for score and finding changes, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

The tool does not fix, patch, block, or remediate findings; it reports with guidance for manual follow-up. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain context best handled by human analysts. Blind SSRF is out of scope due to the absence of out-of-band infrastructure, and the scanner does not replace a human pentester for high-stakes audits. Results can be used as audit evidence and to help prepare for reviews, but the scanner itself is not an auditor and cannot certify compliance.