Pre-acquisition API security check

A pre-acquisition API security check establishes a baseline security posture before integration or purchase. The goal is to surface authentication, authorization, and data exposure risks early, reducing the likelihood of inheriting vulnerable endpoints.

Authentication coverage includes multi-method bypass checks, JWT misconfigurations such as alg=none, HS256 usage, expired or missing claims, and sensitive data within tokens. The scanner also evaluates security headers and WWW-Authenticate compliance.

Authorization checks detect BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, along with BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Property authorization findings highlight over-exposure, internal field leakage, and mass-assignment surface.

Input validation covers CORS wildcard configurations (with and without credentials), dangerous HTTP methods, and debug endpoints. Rate limiting and resource consumption findings include rate-limit header detection, oversized responses, and unpaginated arrays that may lead to denial of service.

Data exposure identifies PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. Error and stack-trace leakage is also surfaced, alongside encryption checks for HTTPS redirects, HSTS, cookie flags, and mixed content.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

LLM security probes exercise 18 adversarial techniques across three scan tiers. These include system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, base64 and ROT13 encoding bypass, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse, nested instruction injection, and PII extraction.

Authenticated scanning supports Bearer, API key, Basic auth, and Cookie methods. Domain verification via DNS TXT records or HTTP well-known files ensures only domain owners can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Integrations include a Web Dashboard for scan management and trend tracking, a CLI via the middlebrick npm package, a GitHub Action for CI/CD gating, an MCP Server for AI coding assistants, and a programmable API for custom workflows. Continuous monitoring options provide scheduled rescans, diff detection, email alerts, HMAC-SHA256 signed webhooks, and auto-disable after consecutive failures.

Scan data is read-only; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. It is not sold or used for model training.