implementing-api-security-testing-with-42crunch
Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic conformance scanning of OpenAPI specifications.
Best use case
implementing-api-security-testing-with-42crunch is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic conformance scanning of OpenAPI specifications.
Teams using implementing-api-security-testing-with-42crunch should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-api-security-testing-with-42crunch/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-api-security-testing-with-42crunch Compares
| Feature / Agent | implementing-api-security-testing-with-42crunch | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic conformance scanning of OpenAPI specifications.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
SKILL.md Source
# Implementing API Security Testing with 42Crunch
## Overview
42Crunch is an API security platform that combines Shift-Left security testing with Shield-Right runtime protection. It provides API Audit for static security analysis of OpenAPI definitions, API Conformance Scan for dynamic vulnerability detection, and API Protect for real-time threat prevention. The platform integrates into CI/CD pipelines and IDEs to identify OWASP API Security Top 10 vulnerabilities before and after deployment.
## When to Use
- When deploying or configuring implementing api security testing with 42crunch capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- 42Crunch platform account (free tier available for evaluation)
- OpenAPI Specification (OAS) v2.0, v3.0, or v3.1 definitions for target APIs
- IDE with 42Crunch extension (VS Code, IntelliJ, or Eclipse)
- CI/CD pipeline (Jenkins, GitHub Actions, Azure DevOps, or GitLab CI)
- Running API instance for dynamic scanning (conformance scan)
- Node.js or Python environment for CLI tooling
## Core Concepts
### API Audit (Static Analysis)
API Audit performs static security analysis of OpenAPI definitions without requiring a running API. It evaluates the specification against 300+ security checks organized into categories:
**Security Score Categories:**
- **Data Validation**: Schema definitions, parameter constraints, response validation
- **Authentication**: Security scheme definitions, scope requirements
- **Transport Security**: Server URL schemes, TLS requirements
- **Error Handling**: Error response definitions, information leakage prevention
**Running API Audit via VS Code Extension:**
1. Install the 42Crunch extension from the VS Code marketplace
2. Open an OpenAPI specification file (YAML or JSON)
3. Click the security audit icon in the editor toolbar
4. Review the security score (0-100) and individual findings
5. Address issues using the inline remediation guidance
**Example OpenAPI Definition with Security Controls:**
```yaml
openapi: 3.0.3
info:
title: Secure User API
version: 1.0.0
servers:
- url: https://api.example.com/v1
description: Production server (HTTPS only)
security:
- BearerAuth: []
paths:
/users/{userId}:
get:
operationId: getUserById
summary: Retrieve user by ID
parameters:
- name: userId
in: path
required: true
schema:
type: string
format: uuid
pattern: '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'
maxLength: 36
responses:
'200':
description: User details
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'400':
description: Invalid request
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'401':
description: Unauthorized
'404':
description: User not found
components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
User:
type: object
required:
- id
- email
properties:
id:
type: string
format: uuid
readOnly: true
email:
type: string
format: email
maxLength: 254
name:
type: string
maxLength: 100
pattern: '^[a-zA-Z\s\-]+$'
additionalProperties: false
Error:
type: object
required:
- code
- message
properties:
code:
type: integer
format: int32
message:
type: string
maxLength: 256
additionalProperties: false
```
### API Conformance Scan (Dynamic Testing)
The conformance scan dynamically tests a running API against its OpenAPI contract to detect runtime vulnerabilities including OWASP API Security Top 10 issues:
**Scan v2 Configuration:**
```yaml
# 42c-conf.yaml
version: "2.0"
scan:
target:
url: https://api.example.com/v1
authentication:
- type: bearer
token: "${API_TOKEN}"
in: header
name: Authorization
settings:
maxScanTime: 3600
requestsPerSecond: 10
followRedirects: false
tests:
owasp:
- bola
- bfla
- injection
- ssrf
- massAssignment
- excessiveDataExposure
```
**Running Conformance Scan via CLI:**
```bash
# Install the 42Crunch CLI
npm install -g @42crunch/cicd-cli
# Run conformance scan
42crunch-cli scan \
--api-definition ./openapi.yaml \
--target-url https://api.example.com/v1 \
--token $CRUNCH_TOKEN \
--min-score 70 \
--report-format sarif \
--output scan-report.sarif
```
### CI/CD Pipeline Integration
**GitHub Actions Integration:**
```yaml
name: API Security Testing
on:
push:
paths:
- 'api/**'
- 'openapi/**'
jobs:
api-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 42Crunch API Audit
uses: 42Crunch/api-security-audit-action@v3
with:
api-token: ${{ secrets.CRUNCH_API_TOKEN }}
collection-name: "my-api-collection"
min-score: 75
upload-to-code-scanning: true
- name: 42Crunch Conformance Scan
if: github.ref == 'refs/heads/main'
uses: 42Crunch/api-conformance-scan@v1
with:
api-token: ${{ secrets.CRUNCH_API_TOKEN }}
target-url: ${{ secrets.STAGING_API_URL }}
scan-config: ./42c-conf.yaml
```
**Jenkins Pipeline Integration:**
```groovy
pipeline {
agent any
stages {
stage('API Security Audit') {
steps {
script {
def auditResult = sh(
script: '''
42crunch-cli audit \
--api-definition openapi.yaml \
--token ${CRUNCH_TOKEN} \
--min-score 75 \
--report-format json \
--output audit-report.json
''',
returnStatus: true
)
if (auditResult != 0) {
error("API Security Audit failed - score below threshold")
}
}
}
}
stage('Conformance Scan') {
when { branch 'main' }
steps {
sh '''
42crunch-cli scan \
--api-definition openapi.yaml \
--target-url ${STAGING_URL} \
--token ${CRUNCH_TOKEN} \
--scan-config 42c-conf.yaml
'''
}
}
}
post {
always {
archiveArtifacts artifacts: '*-report.*'
publishHTML([
reportDir: '.',
reportFiles: 'audit-report.html',
reportName: 'API Security Report'
])
}
}
}
```
### API Protect (Runtime Protection)
API Protect deploys as a micro-gateway in front of API endpoints to enforce the OpenAPI contract at runtime:
```yaml
# api-protect-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: api-protect-config
data:
protection-config.json: |
{
"apiDefinition": "/config/openapi.yaml",
"enforcement": {
"validateRequests": true,
"validateResponses": true,
"blockOnFailure": true,
"logLevel": "warn"
},
"rateLimit": {
"enabled": true,
"requestsPerMinute": 100,
"burstSize": 20
},
"allowlist": {
"contentTypes": ["application/json"],
"methods": ["GET", "POST", "PUT", "DELETE"]
}
}
```
## Remediation Workflow
When 42Crunch identifies issues, follow this remediation process:
1. **Triage**: Review findings sorted by severity (Critical, High, Medium, Low)
2. **Analyze**: Understand the specific security control missing from the OpenAPI definition
3. **Fix**: Apply the recommended changes to the specification
4. **Validate**: Re-run audit to confirm the score improvement
5. **Deploy**: Push the updated specification through the CI/CD pipeline
**Common Audit Findings and Fixes:**
| Finding | Severity | Fix |
|---------|----------|-----|
| No authentication defined | Critical | Add securitySchemes and security requirements |
| Missing input validation | High | Add type, format, pattern, maxLength constraints |
| Server URL uses HTTP | High | Change server URLs to HTTPS |
| No error responses defined | Medium | Add 4xx and 5xx response definitions |
| additionalProperties not restricted | Medium | Set additionalProperties: false on object schemas |
| Missing rate limiting | Medium | Add x-rateLimit extension or use API Protect |
## Key Security Checks
42Crunch evaluates APIs against these critical security areas:
- **BOLA Prevention**: Validates that object-level authorization patterns are defined
- **BFLA Prevention**: Checks for function-level access control definitions
- **Injection Prevention**: Ensures input parameters have proper type/format/pattern constraints
- **Data Exposure**: Verifies response schemas limit returned properties
- **Security Misconfiguration**: Checks authentication schemes, transport security, CORS settings
- **Mass Assignment**: Validates that request bodies use explicit property allowlists
## References
- 42Crunch API Security Platform: https://42crunch.com/api-security-platform/
- 42Crunch Documentation: https://docs.42crunch.com/
- Microsoft Defender for Cloud 42Crunch Integration: https://learn.microsoft.com/en-us/azure/defender-for-cloud/onboarding-guide-42crunch
- OWASP API Security Top 10 2023: https://owasp.org/API-Security/editions/2023/en/0x00-header/
- Jenkins Plugin for 42Crunch: https://plugins.jenkins.io/42crunch-security-audit/Related Skills
triaging-security-incident
Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
triaging-security-incident-with-ir-playbook
Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.
triaging-security-alerts-in-splunk
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.
testing-websocket-api-security
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security assessment.
testing-ransomware-recovery-procedures
Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks.
testing-oauth2-implementation-flaws
Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization code interception, redirect URI manipulation, CSRF in OAuth flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the authorization server, client application, and token handling for common misconfigurations that enable account takeover or unauthorized access. Activates for requests involving OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect bypass, or authorization code flow testing.
testing-mobile-api-authentication
Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization bypass.
testing-jwt-token-security
Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements.
testing-for-xxe-injection-vulnerabilities
Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.
testing-for-xss-vulnerabilities
Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing.
testing-for-xss-vulnerabilities-with-burpsuite
Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater tools during authorized security assessments.
testing-for-xml-injection-vulnerabilities
Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks to identify data exposure and server-side request forgery risks.