Internal APIs security

Run the Internal APIs security check

What middleBrick covers

  • Black-box scanning with no agents or code access
  • Authentication via Bearer, API key, Basic, and Cookie
  • Detection of authentication bypass and JWT misconfigurations
  • BOLA, IDOR, BFLA, and privilege escalation probing
  • OpenAPI 3.0/3.1 and Swagger 2.0 parsing with ref resolution
  • Read-only methods and strict safety posture

Internal APIs expand the attack surface

Internal APIs move data and logic inside your environment. Even when they are not exposed to the public internet, they often trust implicit boundaries, shared networks, and assumed identities. Black-box scanning against internal API endpoints helps surface risky configurations and unexpected behaviors without requiring code access or agents.

Authentication and security header issues

A primary risk for internal APIs is weak or inconsistent authentication. The scanner checks for multi-method bypass possibilities, JWT misconfigurations such as alg=none or HS256 with weak secrets, expired or missing claims, and sensitive data placed in tokens. It also validates the presence and correctness of security headers and WWW-Authenticate compliance. You can provide authentication via Bearer, API key, Basic auth, or cookies, and the scanner validates domain ownership through a DNS TXT record or an HTTP well-known file before proceeding.

Broken object level authorization and privilege escalation

Internal APIs commonly expose identifiers that can be incremented or guessed, leading to BOLA or IDOR. The scanner performs sequential ID enumeration and active adjacent-ID probing to detect insecure direct object references. It also probes for BFLA and privilege escalation by targeting admin endpoints and looking for role or permission field leakage. Findings include over-exposed properties, internal field leakage, and large attack surfaces from mass-assignment patterns.

Input validation, SSRF considerations, and resilience

CORS wildcards, dangerous HTTP methods, and debug endpoints are detected as part of input validation checks. The scanner identifies URL-accepting parameters and body fields that could lead to SSRF, looks for internal IP patterns, and tests for active IP-bypass probes while blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Because these tests are read-only, destructive payloads are never sent.

OpenAPI analysis and runtime cross-validation

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime behavior to find undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This helps you identify mismatches between documented behavior and actual implementation in internal APIs.

Run this check on your API See all use cases

Frequently Asked Questions

Can this replace a penetration test for internal APIs?
It does not replace a human pentester for high-stakes audits. The tool detects configuration and common implementation issues and provides remediation guidance, but business logic vulnerabilities require domain expertise.
Does the scanner test SQL injection or command injection?
No. It does not perform active SQL injection or command injection, as those require intrusive payloads outside the scope of black-box scanning.
What authentication methods are supported?
Bearer, API key, Basic auth, and Cookie authentication are supported. Domain verification is required when credentials are used to ensure only the domain owner can scan with secrets.
Is scan data stored or used for model training?
Customer data is never sold and is not used for model training. Data is deletable on demand and purged within 30 days of cancellation.