API security for Backend engineers

As a backend engineer, you need evidence that an API behaves as designed under unexpected inputs and access patterns. This scanner focuses on what can be observed without code access, using read-only methods such as GET and HEAD plus text-only POST for LLM probes. It covers authentication bypasses, authorization flaws, input validation issues, data exposure, and infrastructure misconfigurations that directly affect service integrity. Each finding includes a risk score from A to F and prioritized remediation guidance you can act on.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects common attack patterns such as JWT misconfigurations including alg=none and HS256 usage, security header omissions, and WWW-Authenticate compliance issues. It also identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, BFLA and privilege escalation through admin endpoint probing, and Property Authorization leaks from over-exposed internal fields. Input validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Data exposure detection covers PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and API key formats for AWS, Stripe, GitHub, and Slack. Additional checks include HTTPS redirect issues, HSTS and cookie flags, mixed content, SSRF indicators involving internal IP and metadata endpoints, and inventory issues like missing versioning and server fingerprinting. LLM security testing performs 18 adversarial probes across Quick, Standard, and Deep tiers, targeting system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, injection techniques, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, then cross-references spec definitions against runtime behavior. It flags undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist is enforced, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach limits the attack surface while still validating authenticated paths.

With Pro tier, you can schedule rescans every six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between scans. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks notify external systems, with auto-disable after five consecutive failures to prevent alert storms. Integration options include a web dashboard for tracking score trends and downloading branded compliance PDFs, a CLI via the middlebrick npm package with JSON or text output, a GitHub Action for CI/CD gates that fails the build when scores drop below a threshold, and an MCP Server for use with AI coding assistants. An API client enables custom integrations for existing toolchains.

The scanner is a detection tool and does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside scope. Business logic vulnerabilities are not detected, as they demand domain-specific understanding. Blind SSRF and out-of-band exfiltration checks are not performed. The tool does not replace a human pentester for high-stakes audits. Customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training.