Vendor onboarding API security check

Integrating a new vendor API introduces a new attack surface that can affect your availability, data integrity, and compliance posture. A focused API security check at onboarding time maps findings to the most relevant risks before production traffic is allowed. This process aligns with security controls described in SOC 2 Type II and supports audit evidence for PCI-DSS 4.0 requirements related to third-party connections.

The scanner performs a black-box assessment using only read-only methods (GET and HEAD) plus text-only POST for LLM probes, completing in under a minute. It covers 12 security categories aligned to OWASP API Top 10 (2023), including authentication bypass, broken object level authorization, excessive data exposure, input validation issues, SSRF indicators, and LLM-specific adversarial probes. Each finding includes a risk score from A to F and prioritized remediation guidance.

• Authentication and security header compliance, including JWT misconfigurations such as alg=none and expired tokens.
• IDOR and BOLA via sequential ID enumeration and adjacent resource probing.
• BFLA and privilege escalation through admin endpoint discovery and role leakage.
• Property over-exposure and mass-assignment surfaces.
• CORS misconfigurations, dangerous methods, and debug endpoints.
• Rate limiting behavior and oversized responses that risk resource consumption.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, then cross-references the spec against runtime behavior. It highlights undefined security schemes, deprecated operations, missing pagination, and sensitive fields that are not reflected in the contract. This helps you prepare for audits by surfacing findings relevant to documented API interfaces and identifying deviations before they reach production.

For endpoints that require authentication, the Starter tier and above support Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate checks DNS TXT records or an HTTP well-known file to confirm that you control the domain. Only the Authorization, X-API-Key, Cookie, and X-Custom-* headers are forwarded, ensuring that sensitive tokens are not exposed beyond the intended target.

middlebrick scan https://api.vendor.example.com --auth-type bearer --token YOUR_TOKEN

Pro tier capabilities enable scheduled rescans every 6 hours, daily, weekly, or monthly with diff detection to surface new findings or resolved issues. You can configure email alerts limited to one per hour per API and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. The scanner integrates with web dashboards for trend tracking, provides a CLI for on-demand checks, offers a GitHub Action to fail builds below a score threshold, and exposes an API client for custom workflows. An MCP server allows scans from AI coding assistants such as Claude and Cursor.