API security for Compliance officers

middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). The scanner categorizes each result under relevant control assertions so that evidence can be traced to specific requirements without claiming certification.

For PCI-DSS 4.0, findings related to authentication integrity, encryption in transit, and error handling align with requirements around cardholder data protection and secure authentication flows. For SOC 2 Type II, observations about access controls, monitoring, and data exposure support trust service criteria evidence. Findings are also mapped to OWASP API Top 10 (2023), covering broken authentication, excessive data exposure, and injection-related issues common to API implementations.

It is important to note that middleBrick is a scanning tool and not an auditor; it cannot certify compliance or guarantee that an organization meets any regulatory framework. The output is intended to support audit evidence and to help security teams assess the state of API controls aligned with recognized standards.

The scanner evaluates authentication hardening across multiple methods, including Bearer tokens, API keys, Basic authentication, and cookie-based sessions. It checks for JWT misconfigurations such as alg=none, weak algorithms like HS256 when asymmetric verification is expected, expired tokens, missing claims, and leakage of sensitive data within token payloads.

Authorization testing includes BOLA and BFLA checks, probing for IDOR via sequential ID enumeration and adjacent ID probing, as well as privilege escalation through admin endpoint discovery and role/permission field exposure. The scanner also inspects property authorization to identify over-exposed fields and mass-assignment surfaces that could allow horizontal or vertical privilege escalation.

Authenticated scans require domain verification through DNS TXT records or HTTP well-known files to ensure only the domain owner can submit credentials. The scanner supports Bearer, API key, Basic auth, and Cookie authentication, with a strict allowlist of headers forwarded to the API. This approach limits exposure while validating that authentication and authorization mechanisms behave as intended under controlled, read-only conditions.

Input validation checks cover CORS misconfigurations, including wildcard origins and credentialed requests, dangerous HTTP methods, and debug endpoints that should never be exposed in production. Rate-limiting mechanisms are assessed through header detection and oversized response analysis to identify risks of resource exhaustion.

Data exposure findings target PII patterns such as email addresses, Luhn-validated card numbers, and context-aware SSNs, as well as API key formats for AWS, Stripe, GitHub, and Slack. Error and stack-trace leakage is flagged as it can simplify reconnaissance for attackers. Encryption checks verify HTTPS redirects, HSTS presence, and secure cookie flags to ensure transit and storage best practices are observed.

SSRF probes target URL-accepting parameters and body fields, scanning for internal IP detection and active bypass attempts. Infrastructure safety is maintained through read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and never used for model training.

The scanner includes specific testing for LLM and AI security risks, executing 18 adversarial probes across three scan tiers labeled Quick, Standard, and Deep. These probes focus on system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration strategies, and cost exploitation mechanisms.

Additional checks cover base64 and ROT13 encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse scenarios, nested instruction injection, and PII extraction attempts. Each tier increases probe depth to help identify surface-level and subtle prompt-injection vectors without performing destructive actions.

These tests are designed to highlight areas where AI-facing endpoints may be vulnerable to manipulation, providing evidence to support remediation efforts such as input sanitization, prompt validation, and tighter access controls around model endpoints.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination that can contribute to overexposure.

For ongoing assurance, the Pro tier offers scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved items, and score drift over time. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can be configured with auto-disable after five consecutive failures to prevent alert storms.

Organizations seeking tighter integration can use the CLI via the middlebrick npm package, the GitHub Action to gate CI/CD builds when scores drop below a threshold, or the MCP Server to run scans from AI coding assistants. The API client enables custom workflows for teams that require programmatic access to scan results and remediation tracking.