munshig

🛡️ munshig

Runtime API security that catches vulnerabilities as they happen.

munshig is a zero-config security proxy that monitors your API during development and automatically detects critical vulnerabilities like broken access control, missing authentication, SQL injection, and PII leaks—before they reach production.

npx munshig
# That's it. Your API is now being monitored for security issues.

🔥 The Problem

APIs get hacked because developers miss authorization checks.

This exact bug has caused:

• Facebook: 50 million accounts exposed (2018)
• T-Mobile: 37 million customer records leaked (2023)
• Optus (Australia): 10 million customers exposed (2022)
• Peloton: All user data accessible (2021)

Traditional security tools:

• ❌ Cost $500k/year (Salt Security, Traceable AI)
• ❌ Take 6 months to deploy
• ❌ Require security teams to operate
• ❌ Miss logic bugs (static analysis can't catch runtime issues)

munshig is different:

• ✅ Free and open source
• ✅ Works in 30 seconds
• ✅ Catches bugs during development
• ✅ No configuration required

⚡ Quick Start

# Start munshig (runs on port 3001 by default)
npx munshig

# Point your app/tests to localhost:3001 instead of localhost:3000
# munshig will forward traffic and monitor for vulnerabilities

That's it. munshig will now catch security bugs in real-time.

🎯 What It Catches

1. Broken Access Control (BOLA) 🔴 CRITICAL

The #1 API vulnerability (OWASP A01:2021)

// Your API code (vulnerable):
app.get('/api/users/:id', (req, res) => {
  const user = db.getUser(req.params.id);
  res.json(user);  // ❌ No authorization check!
});

// User 456 requests /api/users/123
// API returns User 123's data

munshig catches this:

🔴 ══════════════════════════════════════════════════════════════
   ⚠️  CRITICAL SECURITY VULNERABILITY DETECTED
════════════════════════════════════════════════════════════════

   SEVERITY: CRITICAL (CVSS: 8.2)
   TYPE: BROKEN_ACCESS_CONTROL (BOLA)

   🚨 User 456 accessed resource 123

   📍 Endpoint: GET /api/users/123
   👤 Authenticated User: 456
   🎯 Accessed Resource: 123

   🔴 Impact: Users can access other users' private data
   📋 OWASP: A01:2021 - Broken Access Control

   🔧 HOW TO FIX:
   app.get('/api/users/:id', async (req, res) => {
     const currentUserId = req.user.id;
     const requestedId = req.params.id;
     
     if (currentUserId !== requestedId) {
       return res.status(403).json({ error: 'Forbidden' });
     }
     
     const user = await db.getUser(requestedId);
     res.json(user);
   });

2. Missing Authentication 🟡 HIGH

Catches endpoints that should require authentication but don't.

🚨 ══════════════════════════════════════════════════════════════
   SEVERITY: HIGH
   TYPE: MISSING_AUTHENTICATION

   GET /api/admin/settings returned 200 without authentication

   💡 RECOMMENDATION:
   Add authentication middleware to verify user identity

3. SQL Injection 🔴 CRITICAL

Detects SQL injection attempts in query parameters.

⚠️ ══════════════════════════════════════════════════════════════
   SECURITY THREAT DETECTED
   
   SEVERITY: CRITICAL
   TYPE: INJECTION_ATTACK (SQL_INJECTION)

   SQL Boolean Injection detected in GET /api/users?id=' OR '1'='1

   🔧 HOW TO FIX:
   // ❌ BAD:
   const query = `SELECT * FROM users WHERE id = '${userId}'`;

   // ✅ GOOD:
   const query = 'SELECT * FROM users WHERE id = ?';
   db.execute(query, [userId]);

4. PII Exposure 🟡 HIGH

Detects sensitive data (SSN, credit cards, emails) in API responses.

🔒 ══════════════════════════════════════════════════════════════
   DATA PRIVACY VIOLATION DETECTED
   
   SEVERITY: HIGH
   TYPE: DATA_EXPOSURE (PII_LEAK)

   API response contains sensitive PII: SSN, Email

   📝 PII TYPES DETECTED:
      • SSN (e.g., 123-45-6789)
      • Email (e.g., user@example.com)

   🔧 HOW TO FIX:
   // Redact sensitive fields
   res.json({
     id: user.id,
     name: user.name,
     email: user.email.replace(/(.{2})(.*)(@.*)/, '$1***$3'),
     ssn: '***-**-' + user.ssn.slice(-4)
   });

🎬 Demo

# Terminal 1: Start your API
npm run dev  # Your API runs on :3000

# Terminal 2: Start munshig
npx munshig

# Terminal 3: Make requests
curl http://localhost:3001/api/users/123

munshig output:

🛡️  Munshig proxy running on :3001
📡 Forwarding to :3000
⚡ Started at 2:30:45 PM

[14:30:50] ➡️  GET /api/users/123
[14:30:50] ⬅️  GET /api/users/123 → 200

🔴 ══════════════════════════════════════════════════════════════
   ⚠️  CRITICAL SECURITY VULNERABILITY DETECTED

   User 456 accessed resource 123
   
   This is a Broken Access Control bug (OWASP #1)
   
   [Full details and fix provided...]
════════════════════════════════════════════════════════════════

📊 Session Summary

Press Ctrl+C to stop munshig and see a summary:

📊 MUNSHIG SESSION SUMMARY
════════════════════════════════════════════════════════════════

   🔍 Total Requests: 47
   🚨 Issues Found: 3
   📍 Endpoints Discovered: 12

   ⚠️  3 security vulnerabilities detected!
   Review the alerts above and fix before deploying.

════════════════════════════════════════════════════════════════

📦 Installation

Using npx (recommended)

npx munshig

Global install

npm install -g munshig
munshig

Local development

git clone https://github.com/shaikhzaynsaif/munshig.git
cd munshig
npm install
npm start

🔧 Configuration

munshig works with zero configuration, but you can customize:

# Default behavior (proxy on :3001, forwards to :3000)
npx munshig

# Custom ports (coming soon)
npx munshig --port 3000 --proxy 8080

🏗️ How It Works

• Proxy Setup: munshig starts an HTTP proxy on port 3001
• Traffic Interception: All requests/responses are captured
• JWT Analysis: Extracts user IDs from Authorization headers
• Pattern Detection: Runs security detectors on each request
• Real-time Alerts: Shows vulnerabilities with actionable fixes

No code changes required. Just point your client to the proxy.

🆚 Comparison

Feature	munshig	Salt Security	Snyk	Manual Audits
Price	Free	$500k/year	$99/mo	$10k+
Setup Time	30 seconds	6 months	1 day	Weeks
BOLA Detection	✅ Automatic	✅ Yes	❌ No	✅ Manual
Runtime Analysis	✅ Yes	✅ Yes	❌ Static only	❌ One-time
For Developers	✅ Yes	❌ Enterprise	⚠️ Partial	❌ Post-dev
Open Source	✅ Yes	❌ No	❌ No	N/A

🎯 Who Is This For?

• Solo developers building APIs
• Startup engineering teams (pre-Series A)
• Open source maintainers securing their projects
• Security researchers testing APIs
• Students learning API security

🛠️ Tech Stack

• Node.js - Runtime
• Express - HTTP handling
• http-proxy - Traffic forwarding
• JWT decoding - User identification

Zero dependencies bloat. Just 2 core dependencies.

🚀 Roadmap

• BOLA/IDOR detection
• Missing authentication detection
• SQL injection detection
• PII leak detection
• CI/CD integration (GitHub Actions)
• Web dashboard
• Custom detection rules
• VSCode extension
• Production monitoring mode

🤝 Contributing

Contributions welcome! Please read CONTRIBUTING.md first.

Areas we'd love help with:

• Additional security detectors
• Framework-specific integrations
• Documentation improvements
• Bug reports and feature requests

📄 License

MIT License - see LICENSE

🙏 Acknowledgments

Inspired by:

• OWASP API Security Top 10
• Salt Security, Traceable AI (the $500k tools we're democratizing)
• Every developer who's shipped a BOLA bug to production (we've all been there)

📞 Support

• Issues: GitHub Issues
• Twitter: @shaikhzsaifal
• Email: saifalshaikh41@gmail.com

⭐ Star History

If munshig saved you from a security bug, please star the repo! ⭐

Built with ❤️ by developers, for developers.

Stop shipping BOLA bugs. Start using munshig.

npx munshig