Pre-production API security check

Pre-production checks surface integration risks before code reaches production endpoints. The goal is to reduce findings that would require rework after deployment. This stage is ideal for validating authentication flows, input handling, and data exposure paths against common API weaknesses.

The scanner runs a black-box assessment using read-only methods (GET and HEAD) plus text-only POST for LLM probes. It completes in under a minute and does not require agents, SDKs, or code access. Detection categories are aligned to OWASP API Top 10 (2023) and include authentication bypass, BOLA and BFLA, property over-exposure, input validation issues, rate limiting characteristics, data exposure patterns, encryption posture, SSRF indicators, inventory deficiencies, unsafe consumption surfaces, and LLM/AI security probes across three depth tiers.

• Authentication checks multi-method bypass and JWT misconfigurations such as alg=none, weak key choices, expired tokens, missing claims, and sensitive data in claims.
• Broken Object Level Authorization is tested through sequential ID enumeration and active adjacent-ID probing.
• Broken Function Level Authorization involves admin endpoint probing and detection of role or permission field leakage.
• Property Authorization focuses on over-exposure, internal field leakage, and mass-assignment surface.
• Input Validation covers CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints.
• Rate Limiting and Resource Consumption evaluates rate-limit headers, oversized responses, and unpaginated arrays.
• Data Exposure identifies PII patterns, API key formats, and error or stack-trace leakage.
• Encryption reviews HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF testing includes URL-accepting parameters, internal IP detection patterns, and active IP-bypass probes.
• LLM / AI Security runs 18 adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, instruction override, jailbreak techniques, data exfiltration attempts, and token smuggling.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. The scanner cross-references specification definitions against runtime observations to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, which require the Starter tier or higher, supported methods include Bearer, API key, Basic auth, and Cookie. Domain ownership is verified through a gate such as a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

curl -X POST https://api.middlebrick.example/v1/scan \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://api.example.com",
    "auth": {
      "type": "bearer",
      "token": "exampleToken"
    }
  }'

Each scan returns a risk score graded A through F along with prioritized findings. Reports include evidence, remediation guidance, and mapping to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). You can download branded compliance PDFs from the web dashboard. The CLI provides JSON or text output for scripting, and the GitHub Action can fail builds when the score drops below a defined threshold. Continuous monitoring options in higher tiers rescan on intervals, diff findings across scans, and deliver alerts via email or Slack/Teams, with webhooks protected by HMAC-SHA256 signatures.

middlebrick scan https://api.example.com --format json

The scanner does not fix, patch, block, or remediate issues; it detects and reports with guidance. It does not execute active SQL injection or command injection tests, which fall outside the read-only scope. Business logic vulnerabilities require domain expertise and are not detectable through automated scanning. Blind SSRF and other out-of-band infrastructure tests are not in scope, and the tool is not a replacement for a human pentester in high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints, and deleting customer data on demand within 30 days of cancellation.