API security for Security architects

The scanner maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Each finding includes a risk score from A to F and prioritized remediation guidance. You can use the results to validate controls, support audit evidence, and align security activities with established compliance expectations.

MiddleBrick operates as a black-box scanner with no agents, no SDK, and no code access. It supports any language, framework, or cloud target using read-only methods (GET and HEAD) plus text-only POST for LLM probes. Scan completion typically occurs under one minute. The tool does not fix, patch, block, or remediate; it identifies and describes how an attacker could validate the issue.

The scanner covers 12 categories aligned to OWASP API Top 10, including Authentication bypass and JWT misconfigurations such as alg=none, HS256, expired or missing claims, and sensitive data in tokens. It tests for BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA through admin endpoint probing and role/permission field leakage. Property Authorization findings address over-exposure and internal field leakage, while Input Validation checks for CORS wildcard usage with credentials and dangerous HTTP methods. Rate Limiting and Resource Consumption detection includes rate-limit header analysis and oversized responses. Data Exposure covers PII patterns, Luhn-validated card numbers, context-aware SSN, API key formats, and error or stack-trace leakage. Encryption checks for HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and internal IP-bypass attempts. Inventory Management reviews versioning and legacy paths, and Unsafe Consumption surfaces third-party URL and webhook exposure. LLM / AI Security runs 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, PII extraction, and base64/ROT13 evasion.

MiddleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie. A domain verification gate ensures only domain owners can scan with credentials, using DNS TXT records or an HTTP well-known file. The scanner forwards a restricted allowlist of headers, limited to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard centralizes scans, score trends, and branded compliance PDF downloads. The CLI via the middlebrick npm package supports middlebrick scan <url> with JSON or text output. The GitHub Action enforces CI/CD gates and fails the build when the score drops below your chosen threshold. The MCP Server enables scans from AI coding assistants such as Claude and Cursor. Continuous monitoring in the Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and is not used for model training.